As your organization grows and handles more complex data, the time will eventually come to add an SSL certificate. But what type of certificate do you need? A few years back, my colleague, Tom Bennett, wrote a great blog titled "Why Do I Need an SSL Certificate?" which describes what a certificate is, how it works and the different levels of validation. Questions I still get on a regular basis, however, revolve around the different certificate options. Let me take a few moments to walk through the different options and what each option includes.
Single Domain Certificate
When purchasing from a certificate provider, you will undoubtably be presented with a variety of options at differing costs. The most generic of certificates is a basic Domain-based certificate. This is the certificate most people think of when buying a new SSL Cert. It covers a single domain/URL and typically its primary zone. For example, if you bought a certificate for www.mydomain.com, it would cover that domain as well as mydomain.com (note: no www). For a majority of the sites on the web, this is more than sufficient. But what if you purchased several other domains and want to redirect them to your main site? Or what if you have subdomains (media.mydomain.com)? That's when the other two main offerings become not only useful, but cost effective as well.
Many of our clients have more than just a website that needs SSL protection. They might have a mail server, a VPN or other servers/platforms that share the same primary domain name. If we use a mail server as an example, most organizations will have their main website located as www.mydomain.com. They will then give their mail server the address of mail.mydomain.com as well as possibly different addresses for inbound/outbound traffic via smtp.mydomain.com and imap.mydomain.com, etc. If you were to buy single certificates, you would need one to cover each of these unique addresses.
Large organizations may have hundreds (or more) of different subdomains they work with and many of those require SSL encryption. These can all be handled by a single Wildcard certificate. When purchasing this type of certificate, the provider will ask for the primary "zone" or domain you are looking to secure (ie: mydomain.com). The certificate provided to you will have an asterisk in front of it (i.e.: *.mydomain.com) which means it is valid for all subdomains under the mydomain.com heading. Not only does it make maintaining your certificate easier (one certificate to renew vs 100), it also becomes cost effective after just a few single domains would be purchased.
Subject Alternative Name (SAN) Certificates
A less common type of certificate, but equally as useful is known as a SAN certificate. This allows an organization to cover completely different domain names under a single certificate.
For example, let’s say you purchased mydomain.net as mysite.com and want them to redirect to mydomain.com. If the user were to type of https://mysite.com, they would be presented with an SSL warning because the single domain certificate you are using only covered mydomain.com. You could purchase individual certificates if there is only one other domain at work, but in most cases, clients will have many more than that. This is a perfect example where a SAN certificate becomes useful.
When purchasing this type of certificate, you will be asked for each of the specific domain names you wish to cover (i.e.: mydomain.com, www.mydomain.com, mysite.com, etc.). Note that each name must be accounted for (non-www as well) in order to be covered by the certificate. Most SAN certificates come with 5 domain names (also known as Fully Qualified Domain Names [FQDN]). You would then have the option of purchasing additional names either individually or in blocks (depending on the provider). While the initial cost can seem a little steep, these can be major cost savers for organizations with a long list of domain names. It also provides the team maintaining the certificate and website with a single domain to renew, rather than dozens to complete on different expiration dates.
Are there less expensive ways to achieve full SSL encryption? Of course. If you are a little more tech savvy, you can look into utilizing services like LetsEncrypt which have major backing from the likes of Google, Cisco and Akamai. This is a free service which generates shorter lived SSL certificates (typically 3 months), but can cover all 3 main types of certificates (Single Domain, Wildcard and SAN). Also, if you have a lot of domains you need to cover, try contacting a few different certificate providers and getting estimates. Just like anything else you buy in bulk, negotiating pricing is usually an option and can help save quite a bit of money when your certificate needs to cover hundreds or thousands of domain names.
Hopefully this clears up some of the confusion between the different SSL certificate options and which one is right for you. If it doesn’t, don’t worry, that’s where we come in! Feel free to reach out and let us know what you are looking to accomplish with your SSL certificates and we can help your team implement the solution that’s right for you.