So you need a certificate so you can offer SSL encryption. But which one should you get? There are so many choices out there!
Here is a generic overview of the main types of SSL certificates sold by the majority of commercial Certification Authorities (CAs). Note that vendors may use slightly different names based on their marketing.
Your "no-frills" cert - valid for one name. This is fine for most folks - it gets you the gold lock in the browser, gives you SSL encryption, and validates your server's identity.
This is similar to a Standard SSL cert, except the validation process is a little bit more involved, allowing the CA to assert more confidence in your identity. The main benefit is that EV certs will turn the address bar green in most modern browsers (IE7+, FF3, etc.). The overall encryption is just the same as standard - it just makes it easier for the customer to be more confident in your identity to help prevent phishing.
- UCC (Unified Communications Certificate) - multi-domain SSL or SAN SSL (Subject Alternative Name)
This is a Standard SSL cert (unless specified to be EV SSL) that allows for multiple names in the same cert. This is popular for Exchange certs, but can be used for any environment. Example you can have www.domain1.com and www2.domain2.net and server1 all be valid in the same cert. Some vendors may not allow internal names or private IP addresses (e.g. 10.x.x.x or 192.168.x.x) however some do.
This is valid for *.domain.com. Note that this cuts off at the child level so it would not be valid for *.sub.domain.com - you would need a different wildcard for that. Again, these are normally Standard SSL certs unless specified as EV.
This is a "step-up" cert so that you can increase the SSL encryption strength for clients that don't support your server's level of encryption. At the beginning of the decade this was used for servers that supported 128 bit but clients were stuck at lower levels like 56 bit. Now, it is coming back as some newer we servers are supporting 256 bit encryption - if the client also supports 256 then they will use that with a normal SSL cert, but if the client does not then it will step up the client for that connection to use 256 bit instead of 128. If neither end supports 256 bit, then it doesn't do any good.
This is just a normal cert of any of the above types. This just means that you can use a 2048 bit key strength for your private key because their CA is at 2048 bit or higher. Most vendors are 2048 bit now, although there are still a small number that only offer 1024 bit certs. 1024 bit is still okay, but should be migrated away from soon within the next years or two.
- Suggested vendor: