What are the different types of SSL Certificates that you can get if you’re running a website?  SSL is one of those small things that everyone with a website needs.  But there are multiple types of certs to get and all the permutations can get confusing.  This is a cheat sheet to help clarify the different cert types and classes.

Types of Certs:

• Shared domain from a hosting/CDN provider – i.e. domain.wordpress.com, or domain.cdnprovider.com
• SAN certificate –  SAN stands for shared alternative name. Where a cert can have multiple domain names.  Typically used by a CDN provider who can provide use a single cert for multiple customers.
• Wildcard Certs – i.e. *.domain.com – used to cover a domain and all subdomains
• SNI certs – similar to SAN certificates, however instead of requiring separate IP addresses for each domain, and requiring a shared cert to include all the different domain names, SNI includes an additional request into the TLS handshake protocol which allows web browsers that support it to be verify a cert even if each domain is hosted on the same IP.

Validation Methods

• DV – domain validation – the worst type of validation, check with domain registrar which is easily hacked.
• OV – organization validation – this is an upgrade from DV, as there is a government business registration check.
• EV – extended validation – the Certificate Authority / Browser forum has ratified a long process that businesses have to go through to get their certificates validated.  This is the most secure type of cert.

Cipher Suites

• A cipher suite is a set of algorithms that secure a TLS connection.
• Each cipher suite is comprised of the following algorithms at least:
• • key exchange – to exchange keys in a TLS handshake
• • bulk encryption – to actually encrypt the main data being sent
• • message authentication (MAC) – authenticates message came from correct sender and wasn’t tampered with
• When a TLS connection is started, a TLS Handshake occurs between the sender and receiver to coordinate what cipher suites to use

SSL / TLS 1.2 / TLS 1.3

• SSL was old
• TLS 1.2 is newer (2 RTT handshake)
• TLS 1.3 is newest! (removes 1 RTT from handshake)