When you need to choose an SSL certificate, you may see a lot of proper nouns on the websites that sell SSL certificates, such as: Professional, Enterprise, Advanced, Corporate Identity, Domain Name, Mandatory, Mandatory High encryption, extended authentication, joint communication, integrated communication, multi-domain, universal, and even cloud SSL! Nine out of ten people will be confused and can't figure out which one to choose in order not to buy the wrong one. Don't worry, the purpose of this article is to make you understand the SSL certificate on the market after reading it!
We only need to use three attributes: "authentication method", "encryption strength" and "number of corresponding subject names" to grasp almost all SSL certificates. These three classification attributes are independent, that is, the same product may be Several attributes are combined. At the end of the article, we will use Symantec products as examples to explain how to use these three attributes to classify. The next part of this article will provide a comparison table of most commercially available SSL products to make it easier to see:
- authentication method
The first is based on the scope of certification (or authentication) of the certification authority (CA) that is responsible for the control of the SSL certificate. There are three types. The first and most common case is the company line application certificate. The specialized unit will verify whether the applying unit is a legally formally registered company line, agency group, and the applicant must submit a formal document issued by the government, called Organization Validation; the other is simply Domain ownership is verified by email. It can be issued within minutes after payment. It can be applied without the company line number. The lowest level is the cheapest. It is called Domain Validation. In addition, there is an advanced version of the certificate issued by the agency, called Extended Validation (EV), which has stricter inspection requirements. The advantage is that the use of the EV certificate can make the browser display a clear green URL bar to make it easier for visitors to identify the website safety.
- encryption strength
we have always emphasized a correct concept, that is, the general SSL certificate has nothing to do with the encryption strength of the browser. The encryption strength is determined by the settings of the browser and the web server. The only exception is the mandatory high SGC (Server Gated Cryptography) Except for the encryption certificate, which affects the encryption strength, the rest of the certificates do not matter as 128 / 256-bit certificates. Therefore, this classification attribute related to encryption strength is actually divided into two types: "SGC" mandatory high encryption certificate and "non-SGC" general certificate.
- number of corresponding subject names
The Subject Name on the SSL certificate is usually the full domain name (FQDN) corresponding to the actual server, which is the traditional one-to-one method. Later, for example, a service such as a mail server has multiple services at the same time. The naming method (domain name is used externally, and the company uses a virtual IP or a computer name in a Windows environment), and there have been products that can put multiple Subject Alternative Names (SANs) on one certificate. These SANs can belong to different network domains and are mainly used in Unified Communication (UC), so they are also called SAN certificates or UC certificates.
There is also a one-to-many SSL certificate. One certificate can correspond to all FQDNs in the same domain. For example: * .company.com's certificate can be used at www.company.com, mail.company.com, forum .company.com ..... This special credential is called Wildcard or universal credential. It mainly simplifies the management work when there are many SSL requirements at the same time.