In the middle ages, the Knights Templar established the key processes for the modern system of notary services, banking, loans, and mortgages that we have today. During that era, Knights carried with them documentation that proved their identity, created by a notary, often embossed with official wax seals.
The importance of these documents was enhanced by a Papal declaration in 1139 that allowed the Knights Templar to pass freely through any border, pay no taxes, and be granted total freedom from every authority other than the Vatican.
Without the documents created by a notary, anyone could impersonate a Knight, and avoid the laws that applied to ordinary citizens throughout the rest of Europe.
And when it comes to the worldwide web today, we can draw a parallel with a similar document of authority: the SSL certificate. SSL Certification (or TLS to be more accurate) is a means to verify the source of web pages, domains, and open the door to information exchanges and electronic financial transactions.
But how do you pick a good SSL provider? Simple – read on and find out. First of all, we’ve got a list of 10 of our favored SSL certificate providers, although everyone’s needs vary, so following our list, we will engage in an in-depth discussion of all the criteria you should consider when picking the right company for you.
Below are the best SSL certificate providers of 2021:
As a highly affordable provider of SSL services, Comodo SSL has made some significant headway in the past few years.
Much of that success has been the result of very aggressive pricing, with a DV level ‘Positive SSL’ Certification costing just $7.95 currently for five-year coverage.
A ‘Premium’ SSL solution only costs $54.09 for five years. That package includes a fully validated certificate, 256-bit encryption and a $250,000 relying party warranty.
But be warned, validation can take some time if the information required for Comodo SSL to complete the checking process isn’t available online. On the plus side, the company has excellent support people should you have installation or browser issues.
Having operated independently for some years, in 2017, DigiCert has completed an acquisition of Norton's website security and related PKI (Public Key Infrastructure) solutions. The motivation for this buyout was that Norton managed to convince 90% of Fortune 500 companies to pay for the Norton Secured Seal.
These are now DigiCert’s customers, and the company has implemented a plan to transition those using Symantec products on to DigiCert when appropriate.
The starting price for an SSL Certificate is $268 per year, although you might be able to better that with a longer term deal. You can add Wildcard SANs, with pricing starting at $788 per SAN.
Based in the US, Entrust has been in business since 1994 and has garnered a reputation as a well-oiled machine for generating certification quickly and smoothly.
Entrust was built around a wide selection of security products: ID card printers, authentication systems, credit card printers and a PKI are all among its product lines.
With so much invested in secure systems, SSL certificates are considered one of its strongest offerings. Customers especially like the ability to manage numerous certificates across multiple domains from a management console.
Prices start at $199 per year for its Standard SSL single site product, climbing to $699 for a Wildcard SSL covering unlimited servers and subdomains. From what we’ve seen, most customers seem delighted with the service at all levels, seemingly justifying the extra cost over cheaper options.
GeoTrust was once owned by VeriSign and then Norton, and due to the sale of the latter operation, it might also be part of DigiCert by now. The business covers three main areas: SSL certificates, Signing Services and SSL for enterprise services.
Those looking for SSL certification will find that GeoTrust offers a comprehensive selection starting with domain-level and progressing up to its True BusinessID with EV level certification.
Pricing is more competitive at the higher end, so those wanting a single site certificate might want to avoid GeoTrust, but those needing EV or OV level products should take a look.
Enterprise solutions specifically tailored to government organizations, healthcare businesses and financial institutions are part of the GeoTrust range. Be prepared for identity checks to take longer than others, but the thoroughness of these checks has enhanced GeoTrust’s status.
Where some operations have a wide client base, GlobalSign is very focused on enterprise customers, especially those who are looking to deploy highly scalable PKI solutions.
By taking this route, an enterprise customer can have all the rules, policies, and procedures for using SSL certificates, and their subsequent creation, distribution and revocation are all handled for them. But if you only want SSL certificates, GlobalSign can do that too.
Having the level of support and organization that GlobalSign delivers doesn’t come cheap, and even for a single site with only DV level certification, prices start at $249. For those wanting the full EV certification, expect to pay $599 per year for a single site.(opens in new tab)
GoDaddy is known amongst some of the best web hosting providers on the market, but it’s also a big provider of SSL services.
Instead of offering DV, OV and EV certification at different prices, they all cost the same relatively low price. The pricing structure is instead based on a single site, multiple sites, or a domain with full subdomain cover.
Currently a single site, (DV, OV or EV level) costs $99.99 per year ($69.99 for the first term), and the all level domain solution is only $449.99 per year ($349.99 for the first term). The return on that investment is the best SHA2 and 2048-bit encryption, and the trust seal provided by McAfee Secure.
One quirk of GoDaddy’s offering is that while the fresh installation is relatively cheap, renewal can be more expensive. If you can be organized enough to do fresh installs each year, you can save yourself a little money over simply renewing.
In some respects, Network Solutions is a little like GoDaddy, in that they both offer a wide range of web-related services, like domain names and e-commerce solutions, and SSL certification isn’t their sole focus.
What might attract customers is this firm’s pricing, with a base cost that starts at $59.99 with a 2-year term for a single site, rising to $399 for an EV level certificate that should be issued within five working days.
The weakness of this offering would seem to be the support team, which has been described in less than glowing terms by some customers. So given that, if you understand the details of installing certificates, then this might be for you, but anyone wanting extensive technical support may want to look elsewhere.
RapidSSL is owned by GeoTrust, another SSL provider we’ve already mentioned in this list. The business logic behind this is that whereas GeoTrust focuses on corporate giants, RapidSSL targets smaller businesses that are more cost-sensitive.
For just $17.95 per year, RapidSSL will provide a single domain certificate with 128/256-bit encryption with a browser recognition that exceeds 99%. A wildcard certificate that covers unlimited subdomains is $149 per year, plus it includes a $10,000 warranty and a 30-day money-back guarantee.
Free support is provided 24/7 by web and email, and installation tools are part of the package at no extra cost. And, even at this low price, the service is built on the same GeoTrust global infrastructure as the corporate customers benefit from.
If the most important metric of this sector is customer approval, then SSL.com is delivering the type of SSL service that wins friends and returning customers.
Part of that equation is strong customer services and support teams, and the other element is competitive pricing which values those willing to commit for longer periods than a year.
A single domain level certificate starts at $49 per year but can be as low as $36.75 per annum if bought for five years. If you’re a smaller business looking for certification, SSL.com might be a good place to start.
The company is hardly a household name, but Thawte has managed to corral more than 40% of the global market for SSL certificates. So far it has issued nearly a billion certificates in 240 countries worldwide.
What’s helped the firm establish this position is the strength of its offerings, and selling points include impressive browser compatibility, excellent certificate management tools, and up to 256-bit encryption.
For those who need EV level certification, the price is $189.84 (6-year plan), and that comes with a promise to complete the background checks in one to three days maximum.
The success that Thawte has had seems well grounded in a strong combination of customer satisfaction and affordable pricing.
The mechanism of SSL certification has two important functions: authentication and encryption.
As a means to authorize a connection, the SSL certificate holds information about the business, website or person you are connecting to, and is also a means to verify that identity through a third-party.
If you wish to see this in action, look at the URL of this web page in the address bar of your browser, and alongside the text, just on the left, you should see a small green padlock that identifies that this is a secure SSL-certificated site.
Clicking on the padlock will tell you that the connection is secure and allow you to reveal what information the certificate has. That will include the users of the certificate, and the SSL provider that bestowed authorization.
In addition to authority and verification, the SSL certificate also includes a means to encrypt traffic between the user’s computer and the website. Without this encryption, sensitive information like passwords could potentially be compromised by a nefarious party intercepting the data traffic flowing between the client computer and the web server.
The security of this system is underpinned by another independent third-party, the trusted Certificate Authority (CA), which issues the SSL certificate under strict guidelines.
Very much mirroring the phrase ‘my word is my bond’, the support of a CA with an SSL certificate is a declaration of trust in a person, company or website. And the CA is in turn verified by a Root certificate holder, proving that they are trusted to issue certificates and revoke them where necessary.
Should these trusted relationships fail, the SSL certificates become invalid. In that case, anyone visiting a location covered by one such certificate would immediately be warned that it has no valid SSL certificate, and that their connection may no longer be secure.
As you can imagine, the impact that a revoked certificate would have on a live business would be very serious. So it’s vital that you get your SSL certificate from the right source, backed by the most respected CA.
Having inherent trust where identity is concerned is necessary, but having the right level of certification for the business is also very important.
When people talk about SSL certificates, it is easy to assume that they’re all the same. But depending on who authorized them and how diligent the background checks were, they come with different levels of validation.
Here are the four levels of validation most commonly used:
- Self-signed. At first glance, the idea of self-signed certificates seems mildly ridiculous, because looking in the mirror and confirming that the reflection is indeed you won’t work at passport control. However, if the purpose of these certificates is to control traffic on an internal corporate intranet, it works well enough, and avoids the browser repeatedly complaining about unsecured web locations.
- Domain Validation (DV). The next rung up is the Domain Validated SSL certificate, which is purely a confirmation that the web pages are truly coming from the expected domain and not some other. It says nothing about the person or business in question, just that they own a domain.
- Organization Validated (OV). The highest level of validation that an individual can aspire to, and high enough for many businesses. Company credentials and those of the named owners are checked against extensive databases, including those held by local governments.
- Extended Validation (EV). The pinnacle of SSL issuance is the fully authenticated SSL certificate, needed for any company that wants to offer their customers secure web locations, email and financial transactions.
While self-signed and domain level certificates have their uses, it’s the OV and EV levels that businesses truly need. Because they prove that a company has domain ownership, a genuine business, and that the certificate was applied for by authorized personnel.
As it’s reasonable to expect, checks of this type take time. Therefore, applying for and being granted an authenticated SSL certificate is not something that can happen five minutes before a new web venture is about to go live.
The other element that separates one SSL certificate from another is the level of encryption that it applies, and exactly how secure that makes it.
The model for SSL certificates allows for them to use 128 or 256-bit encryption, should the client’s browser support it. Calculations show that it would take a supercomputer 13.75 billion years to test every permutation of a 128-bit encrypted code.
And, for good measure, the initial handshake is performed using an ultra-secure 2048-bit RSA key. Once past that awkward first date, SSL communication is usually continued with 128, 192 or 256-bit, as without quantum computers these are practically uncrackable, and they put less stress on the computers encrypting and decrypting at either end.
Most providers are offering 256-bit encryption these days, but that’s only valid when the web server, client computer operating system and browser can all operate at that encryption level.
Old operating systems and browsers can force encryption levels to 40 or 56-bit, even if the certificate they’re accessing is capable of 256-bit.
While you can’t entirely control the client end, the minimum requirement for encryption should be 256-bit at the server end, period.
What makes a good SSL purchase?
There is a temptation to make choices entirely based on cost, especially if you have lots of sites to cover or a dynamic business environment. Poor decisions can have big cost implications, and changing direction once you have a consumer-facing solution isn’t ideal.
The following factors should play a part in picking the right issuance operation for you:
- Period of trial - Before anything goes live you’ll want to test it, yes?
- Browser compatibility - With so many computers still running Windows 7 and even older releases, working with older browsers is still a major concern.
- Issuance timeframe - When deadlines are in play, time can be critical should a new certificate suddenly be needed
- Trust level type - The trick is to match the needs of the web location with the level of security and trust needed. If you don’t do financial transactions, then EV level security probably isn’t required. Not all firms offer OV level certificates and some companies try to charge for self-signed, amazingly.
- Trust site seal - Providing a recognizable seal that the public can see is an easy way to let your customers know that a site is secure and that their information is safe.
- Support of SSL experts - The subtle nuances of SSL and certification can befuddle even the most astute IT people, so having an SSL support team available is critical.
- Refund policy - Entering a business relationship assuming it will go sideways isn’t a particularly positive viewpoint, but knowing that your money will come back if needed is a sensible precaution.
- Warranty policy - Some CAs cover errors in identification, loss of documents or intentional/accidental errors. These warranties might have implications for those companies that self-insure.
- Check out the best web hosting services on the market