What are the different types of SSL Certificates that you can get if you’re running a website? SSL is one of those small things that everyone with a website needs. But there are multiple types of certs to get and all the permutations can get confusing. This is a cheat sheet to help clarify the different cert types and classes.
Types of Certs:
- Shared domain from a hosting/CDN provider – i.e. domain.wordpress.com, or domain.cdnprovider.com
- SAN certificate – SAN stands for shared alternative name. Where a cert can have multiple domain names. Typically used by a CDN provider who can provide use a single cert for multiple customers.
- Wildcard Certs – i.e. *.domain.com – used to cover a domain and all subdomains
- SNI certs – similar to SAN certificates, however instead of requiring separate IP addresses for each domain, and requiring a shared cert to include all the different domain names, SNI includes an additional request into the TLS handshake protocol which allows web browsers that support it to be verify a cert even if each domain is hosted on the same IP.
- DV – domain validation – the worst type of validation, check with domain registrar which is easily hacked.
- OV – organization validation – this is an upgrade from DV, as there is a government business registration check.
- EV – extended validation – the Certificate Authority / Browser forum has ratified a long process that businesses have to go through to get their certificates validated. This is the most secure type of cert.
- A cipher suite is a set of algorithms that secure a TLS connection.
- Each cipher suite is comprised of the following algorithms at least:
- key exchange – to exchange keys in a TLS handshake
- bulk encryption – to actually encrypt the main data being sent
- message authentication (MAC) – authenticates message came from correct sender and wasn’t tampered with
- When a TLS connection is started, a TLS Handshake occurs between the sender and receiver to coordinate what cipher suites to use
SSL / TLS 1.2 / TLS 1.3
- SSL was old
- TLS 1.2 is newer (2 RTT handshake)
- TLS 1.3 is newest! (removes 1 RTT from handshake)