How to choose the right SSL/TLS certificate?

How to choose the right SSL/TLS certificate et lequel choisir ?

by Sidick Allaladé on 7/01/2020 |

Updated at 21/09/2021

In this article I will use the more accurate term SSL/TLS rather than just saying SSL You can find out more about the difference between the two in my article 'Why you should have an SSL certificate on all your web projects?' I do an in depth explanation there.

So let's start by explaining the certification authorities, or CA’s for short. Certification Authorities are entities that issue digital certificates. They certify ownership of a public key. Remember, this is what an SSL certificate does. It certifies ownership of a public key.

The most important thing is that we are going to tell them what URL we are going to use, and then we are going to give them a public key. And sometimes we will also have to pay a fee.

They will then in turn validate that this public key and this information matches and looks correct and we will return the certificate certifying ownership of that public key. It's a bit like notarizing an identity. 

In the real world, you can go to a notary or a sworn official and ask him to legalize or certify document that you sign. You could bring your identification document with you so that he could see who you are and he guarantees that he saw you personally signing the document.

It's pretty much the same process here. The idea is to have a trusted third party who will vouch for that public key. Browsers will either keep a list of certificate authorities, their own list, or they'll borrow one from the operating system. And they will trust those CA’s, and since a CA has certified that particular URL has a public key, browsers know that they can trust that public key.

What has been certified is that a public key belongs to a particular URL. That's it!

It says nothing about the entity behind that URL. We don't know if they're good people or bad people. We don't know if their business is going well or if they are about to go out of business. All we know is that this public key is a legitimate key to this URL. 

Most of them charge a fee for their services, in the same way that a notary may charge a small fee to authenticate a document for you. But there is a non-profit project called Let's Encrypt that provides you with free certificates.

Here are different types of certificates

1- Self-signed certificates

 Self-signed certificates are certificates that have not been trusted by a certificate authority, but have been signed by you. They are vouched for by you, not a CA. This still allows you to perform encryption with them because they still have a public key attached. But what they lack is the trust of a third party. We don't have an external organization on the Internet that vouches for the fact that that public key belongs to that entity.

So if you try to visit a website that uses a self-signed certificate, the browser will display a security alert because it doesn't trust it. 

So for a website that's certainly not what you want. 

But why would you want to use a certificate that is not trusted by a third party?

They are especially useful when you have two systems that want to communicate with each other and already trust each other. 

2- Single domain certificates

This is a certificate in which the public key is certified as belonging to a single website, for example: it is therefore certified only for and

But suppose you want to have or this will not be possible, it will make you what is called a Wildcard certificate.

3- Wildcard certificate 

It's exactly the same as a Single domain certificates, the only difference is that it allows you to use it on multiple subdomains.

4- Multi-domain certificate (Multi-domain certificate )

Again, it is the same type of certificate, except that it can be used for multiple domains. It can be used for, and There is a variation on this point which is the UCC or SAN certificate. They are similar to multi-domain certificates, but they are mainly used for Microsoft Exchange and Office communication environments.

There are also differences in the level of domain validation and these have an impact on prices. But this is understandable because what is essentially different is the effort that the certification authority makes to validate the ownership of that public key. Simply put, it takes more money to do more work to validate that an owner is who they are.

Here are the different types of validations:

Domain validation

It is the most common, it only certifies that the public key and the domain name of the website are linked. Usually, the way to do this is to send an automatic email to the website owner who is registered in the WHOIS database. So, he will send it to anyone who claims to be the owner of that website, and if he can receive that email and respond to it, then that is sufficient proof of ownership. Another option is that they're going to ask you to put a data file, usually .txt, on the website because if you own the website, you should be able to put the data file on the website and then they can see it publicly.

The validation of the organization

As you can imagine, this includes everything included in the domain validation, but in addition it also confirms the authenticity of the organization by checking the company databases for articles of incorporation and confirming the physical address of the company. 

The extended validation 

Extended Validation does the same type of validation as Organization Validation, but they take an extra step to validate the organization.

If you want to physically contact given company/organization you have to dial their phone number. All you have to do is verify that someone is answering the phone at that location and that the company is who they say they are. And that's all you do, just check to make sure that someone answers the phone and says yes, it's the right company. One of the advantages of extended validation, however, is that many browsers display it differently when you go to a site that has extended validation. They'll put a nice big green bar at the top and they might even put the company name instead of the URL. This can make them much more reliable.

So which one should you choose?

Every priest preaches for his own choir. So in general the certifying authorities want to sell you the most expensive option they have, trying to sell you a lot more than you need.

If your goal is to encrypt your communications or prevent browsers from complaining to your users, simply choose simple domain validation. If your goal is to reassure your customer as much as possible, then choose extended validation, or choose the middle ground which is organization validation. 

More validation always builds your customers' confidence at the moment. On the other hand, if the extra cost of more validation makes you hesitate, then you certainly don't need it.

If you need help with your web security needs contact us here and our experts will be happy to help you.

Having problem with the security certificates on your website? Contact the experts at our web development agency. We run the best custom web development agency in Montreal.

Frequently Asked Questions

The way the public most often defines an SSL certificate is that it is the thing that triggers the little padlock or perhaps green bar at the top of their web browser. This indicates that the web page is using the HTTPS protocol for secure communication.

TLS, or Transport Layer Security, considered a superior and much more widespread version of SSL. TLS is a digital certificate.

Saying SSL is a bit of a misnomer because all people are talking about is TLS. TLS has been around now for five times as long as SSL, nobody really uses SSL to communicate anymore, they really use TLS, but we still call them SSL certificates.

Certificate authorities are entities that issue digital certificates. They certify ownership of a public key with an SSL certificate. Most importantly, we are going to tell the CA what URL we are going to use, and then we are going to give them a public key. And sometimes we will have to pay a fee as well. They will then validate that this public key and this information matches and is correct and they will give us a certificate certifying ownership of that public key. It is kind of like notarizing an identity.

Sidick Allaladé

Sidick Allalade, is Chief Technology Officer at Oshara INC and co-founder of the Osortoo web application. He loves solving complex IT problems, coding and everything IT. He has a good knowledge of online marketing and IT Governance, Audit and Security.
His experience spans hundreds of projects with companies of all sizes which makes him a valuable asset on any team.

Was this article useful?

People Who Read This Article Also Read...

How to install a Laravel web application that you cloned from Git

Laravel is a powerful php framework that allows you to create custom web applications

How to install a Laravel web a...

Everything You Need To Know About Communication Agencies

By definition, a communication agency (marketing) is a company that plans and harmonizes internal and / or external communication on be...

Everything You Need To Know Ab...

12 questions to ask when collecting customer data

Collecting data from customers is an important marketing strategy since it gives you information on what customers exactly want instead...

12 questions to ask when colle...

How to fix Joomla Error 0 'Cannot open file for writing log while updating'?

Did you already try udpating your joomla website and you got this error : "An error has occurred. 0 Cannot open file for writing log" ...

How to fix Joomla Error 0 'Can...

This is How you can Simplify Complex Enterprise Workflows in Your Business

A workflow is a repeatable scheme or pattern of a sequence of steps or activities that are undertaken to realize the completion of a pa...

This is How you can Simplify C...

Is ETL Still Relevant in 2019?

ETL is an abbreviation for extract, transform, and load. It is one of data integration tools used in the extraction of data from a sour...

Is ETL Still Relevant in 2019?