How to Choose an SSL/TLS Certificate: Commercial, Self-Signed, or Let's Encrypt
Introduction
An SSL/TLS certificate binds with services such as web servers, mail servers, and more to offer data integrity and privacy. The SSL/TLS certificate helps authenticate the origin server's identity, preventing attackers from impersonating the origin to access user data. It contains a key pair, including public and private keys. A service bound with an SSL/TLS certificate encrypts all the interactions with the public key. It decrypts them on the server, using the private key, ensuring privacy from any intermediary.
The Transport Layer Security (TLS) technology is the successor to Secure Socket Layer (SSL) technology. Usually, a reference to an SSL certificate in modern environments means a TLS certificate, but the term SSL is more commonly known.
This article explains the types of SSL certificates and ownership validation methods. It also compares the different ways to obtain an SSL/TLS certificate featuring commercial, Let's Encrypt, and self-signed certificates.
Types of SSL Certificates
There are multiple types of SSL certificates which different levels of coverage. A basic SSL certificate can only secure a single domain name. However, there are many environments where more than one domain name, subdomain, or IP address requires an SSL certificate.
The following are the different types of SSL certificates.
- Single Domain Certificate
- Multiple Domain Certificate
- Wildcard Certificate
- IP Address Certificate
The single domain certificates can secure a single Fully Qualified Domain Name (FQDN) and all the pages that belong to it. For example, a single domain certificate issued for example.com
can secure example.com
and example.com/*
.
The multiple domain certificates can secure multiple FQDNs in addition to all the pages that belong to them. Unlike single domain certificates, this certificate can secure more than one domain name. For example, a multiple domain certificate can secure both example.com
and example.net
using the same certificate.
The wildcard certificates can secure all the subdomains that belong to the same domain name. For example, a wildcard certificate issued for example.com
can secure www.example.com
, app.example.com
, or any other subdomain using the same certificate.
The IP address certificates can secure the services running without a hostname. It is similar to single domain certificates but uses an IP address instead of an FQDN.
Different SSL Validation Levels
The Certification Authority (CA) is an entity that verifies the subject of a Certificate Signing Request (CSR) and issues a signed and certified public key for the subject. The subject of a CSR can consist of an IP address, a domain name, or multiple domain names, as mentioned in the previous section. Usually, a self-signed certificate does not have any validation level.
The following are the different SSL validation levels.
- Domain Validation (DV)
- Organization Validation (OV)
- Extended Validation (EV)
The DV level is the lowest level of validation. The Let's Encrypt CA issues only DV certificates. At this level, the CA only validates the ownership of the domain name mentioned in the CSR. The DV level does not cover certificates issued for IP addresses. The CA usually validates the ownership of the domain name by sending an email to the domain administrator, setting up a TXT DNS record, or placing a verification file in the web directory.
The OV level requires a higher level of validation for issuing an SSL certificate when compared to DV certificates. At this level, the CA validates the authenticity of the organization that has requested the certificate signature. The OV certificate offers more user trust and is commonly used by online businesses, government institutions, and more.
The EV level is the highest level of validation. In addition to the organization validation, at the EV level, the CA also validates exclusive rights of the subject, physical existence, legality, and so on. The EV certificates protect an organization's identity and offer the users the highest level of trust. They are commonly used by large organizations, financial services, and more.
Self-signed SSL Certificate
As the name suggests, the self-signed certificates sign themselves with their private key. It does not require validation from any certification authority. These certificates are commonly used in internal environments for development or testing purposes. The web browsers, by default, would treat these certificates as untrusted due to the lack of the CA signature. You can manually mark these certificates as trust in the web browser or the operating system itself.
- Validity: Custom
- Available Types:
- Single Domain
- Multiple Domain
- Wildcard
- Any IP Address
You can generate a self-signed certificate using the openssl
utility on most operating systems by installing the OpenSSL library. It allows you to generate private and public keys that you can use to secure any SSL/TLS-enabled service. Refer to the openssl-req Documentation for more information.
Using a self-signed certificate is completely free and best suited for internal environments. You can generate these certificates for any subject as mentioned above. Unlike any other certificate, this is the only certificate you can bind with private IP addresses. Also, these certificates do not have any maximum limits for the expiration period.
If you generate multiple self-signed certificates, you can set up a private certificate authority and distribute it to the users. The private certificate authority ensures browser trust for all the certificates issued by it instead of marking each certificate as trusted.
Let's Encrypt SSL Certificate
The Let's Encrypt CA (R3) signs these certificates by validating the ownership at the DV level. These certificates have short-span validity to reduce abuse caused by compromised services. Let's Encrypt offers an Automated Certificate Management Environment (ACME) protocol that automates the issuance and renewal of SSL certificates. It compensates for the short validity period by renewing the SSL certificate automatically after validating the ownership at regular intervals.
- Validity: 90 days
- Available Types:
- Single Domain
- Multiple Domain
- Wildcard
You can generate using the official ACME client certbot
. By default, it validates the ownership of the domain name using the HTTP-01 challenge that requires the website to be publicly accessible. You can use the DNS-01 challenge for issuing the certificates in a local environment or for any non-web service. Refer to the certbot
instructions for more information.
Information: The Let's Encrypt ACME protocol server has rate limits that restrict users from issuing too many SSL certificates. If you want to experiment with the Let's Encrypt SSL certificate, you may switch to the staging ACME server to avoid getting blocked. For more information, refer to the Staging Environment documentation.
The web browsers trust the SSL certificates issued by the Let's Encrypt CA. It offers more credibility than self-signed certificates and does not require the user to mark the certificate as safe. These certificates are best suited for services like personal blogs, small web applications, and more. However, the Let's Encrypt CA does not issue certificates for IP addresses.
You can add up to 100 hostnames in a single certificate or issue a wildcard certificate that secures all the subdomains that belong to the same domain name. The ACME protocol makes the Let's Encrypt certificates a good choice for orchestrated containerized environments like Docker and Kubernetes.
Commercial SSL Certificate
The third-party certification authorities issue the SSL/TLS certificates by validating the subject at the DV, OV, or EV level. All web browsers trust the certificates issued by these third-party CA, offering different levels of credibility and protection. However, unlike the certificates mentioned in the previous section, these certificates are certainly not free to use.
- Validity: 1 year
- Available Types:
- Single Domain
- Multiple Domain
- Wildcard
- Public IP Address
The issuance process of a commercial SSL certificate is manual. You can purchase these certificates from third-party certificate vendors that require you to submit a CSR and select a validation method, and you get the certificate upon verification. The validity period of these certificates is one year, most vendors offer multiple-year bundles at a discounted price, but you need to reissue the certificate every year.
The commercial SSL certificates offer additional user trust and brand identity protection by giving the option of higher validation levels such as OV and EV. These certificates are best suited for websites that require brand identity protection and user trust, such as an organization, e-commerce, financial services, and so on. Even at the lowest level, these certificates can secure services running on servers that do not support the ACME protocol that Let's Encrypt uses. You can also request an SSL certificate for an IP address at the OV level or higher. Still, it only supports public IP addresses, unlike self-signed certificates, which can secure private IP addresses.
The price of a commercial SSL certificate starts from 5$ and can go up to a few thousand dollars. It depends on the type of required SSL certificate and the validation level. Usually, the DV level certificates are the cheapest option compared to OV or EV. The higher validation level certificates are more expensive because the certification authority needs to put in extra effort to validate the subject's ownership.
Conclusion
You learned the different types of SSL certificates and various ownership validation methods. You also compared the different ways to obtain an SSL certificate. The selection between the different options depends on the application and the use case. While an internal service can use a self-signed SSL certificate to get all the benefits, public services need to have SSL certificates signed by a certificate authority that most browsers trust to ensure user confidence. The additional validation levels offered by commercial SSL providers give more credibility to your service, which may be useful for services prone to distrust and spoof attacks, such as e-commerce, banking, and so on.