What is the difference between a free SSL certificate and a paid SSL certificate?
Does it make sense to buy a paid SSL certificate in the era of free Let’s Encrypt and free CACert.org? What is the difference between free and commercial certificates and whether they are worth as much and how they affect website security. I will explain all this in this article.
What types of SSL certificates do we have?
Certificates can be divided according to which domains they protect and how the verification of the entity that wants to obtain such a certificate has taken place. Therefore, for some certificates, apart from the green padlock, there is also the name of the company that owns the certificate.
Certificates DV (Domain Validation)
The quickest certificate is the DV certificate. When buying such a certificate, you must prove that you are the owner of the domain to which it applies. The most common method is to receive a verification link to an e‑mail whose address is in the domain for which we want to have a certificate.
If you want to receive a certificate for thecamels.org domain, we need to create a mail account, e.g. email@example.com, to which the certifying organization will send a verification link. After clicking it, the certificate will be issued.
Another method is to place the file on the server or add a DNS record in the domain. Verification if you own a domain is very fast and after a few minutes from the order, you can get such a certificate.
This type of certificate does not contain any information about its owner.
Certificates OV (Organization Validation)
In this type of certificates, in addition to verifying whether you are the owner of the domain, there is a verification of the owner of the certificate (most often the company that buys such a certificate). It is also necessary to provide documents confirming the owner’s data, e.g. company registration documents, scanned identity card.
The OV certificate ensures the credibility of the company and the authenticity of the domain visited, through the information contained in the certificate itself.
Certificates EV (Extended Validation)
Certificates with the so-called green bar are issued only after full verification of the owner who wants to purchase such a certificate. In addition to confirming that you are the owner of the domain and providing the documents, you should also expect to be contacted by the certifying organization to verify the documents submitted.
The advantage of such a certificate is that it displays the full name of the company that owns it in a green field (next to a green padlock). This is the most reliable certificate and is recommended for large stores, web applications or banks.
A classic SSL certificate is issued for one domain e.g. thecamels.org (and www.thecamels.org). If we wanted to protect addresses like blog.thecamels.org, shop.thecamels.org and panel.thecamels.org we would have to buy three certificates for each address.
The Wildcard certificate allows you to protect any number of subdomains in your domain. It is issued for the *.thecamels.org address, which means that all previously mentioned addresses will be protected by a single certificate. There will be no protection for third and subsequent domains, e.g. www.shop.thecamels.org, new.shop.thecamels.org.
The main advantage of this type of certificates is cost reduction with a large number of addresses and simple management. We have one certificate to renew instead of a dozen or so.
Recently Let’s Encrypt certificates have been supported by Wildcard.
Certificates Multi Domain
What if we have several domains, e.g. thecamels.org, thecamels.pl, thecamels.eu and osworld.pl? Can we use Wildcard here? Unfortunately, not with help comes the Multi-Domain Certificate. It allows you to secure up to 100 different domains with one certificate.
Please note that only the domains specified when ordering the certificate are covered. So, for example, we have given such domains: thecamels.org, thecamels.pl, thecamels.eu and only they will work within this certificate. This will not be the same as for DV certificates, such as Positive SSL, which covers thecamels.pl and www.thecamels.pl
Differences between free and paid SSL certificates?
Thanks to Google, recently, the subject of SSL certificates has become very popular. Browser Chrome, will mean a site without SSL as dangerous. This is actually the last ringtone to equip your website with SSL.
And at this point a question is asked. Do you buy a certificate or get it for free? Nothing stands in the way of first equipping your website with free SSL and with time and growing needs, exchange it for a commercial certificate. Besides, the price of such a certificate is an expense of about 50 PLN per year.
|Commercial certificate||Free certificate|
|Issued for 1 year||Issued for 3 months|
|DV, OV, EV certificate||DV certificate|
|No auto-renewal||Auto-renewal via scripts|
|from 50 PLN||0 PLN|
|Warranty: $10,000||No guarantee|
It is easy to notice that commercial certificates have a financial guarantee. The amount of the guarantee varies depending on the brand of the certificate and its type: from $5,000 to even $1,500,000. Remember that certificates do not provide 100% security. The encryption key can always be broken. In such a situation, the issuer of the certificate should pay us compensation.
Unfortunately, as with the guarantees and terms and conditions, it is not as rosy. Very often the guarantees have a lot of legal tricks, the style of compensation is up to $5,000, is paid when we prove ourselves that the fault lies with the certificate and its supplier, etc. The guarantee is not so different.
Free certificates also have limits and restrictions. It may happen that with a large number of domains on one hosting, we will not be able to generate certificates for each address. It is also worth remembering about the technical requirements that must be met in order to get Let’s Encrypt.
In case of server infrastructure failure related to Let’s Encrypt, we may have a problem with generating a free certificate, its renewal, etc.
Is it worth buying an SSL certificate?
It is difficult to answer this question in one sentence. It all depends on the purpose for which we will use such a certificate. Free Let’s Encrypt or CAcert.org certificates offer only DV certificates. From a technological point of view, they work exactly the same way as the paid ones. Free certificates need to be renewed every few months, they have limits, and so on. They are really sufficient for most applications.
Very often online shops, larger websites, commercial websites, buy certificates. There is no need to renew them every few months and worry about the problems associated with the lack of renewal. However, if we think about OV, EV (green padlock) certificates, only commercial certificates remain.
Buying or choosing a free certificate is one thing. You should also remember that the server on which you are implementing such a certificate is properly configured. If the configuration of the server is incorrect and weak, it may be enough to eavesdrop the transmission even with the SSL certificate implemented.
Our hosting servers install Let’s Encrypt certificate for each domain by default, and receive the highest A+ rating in SSL Labs tests.
Check other blog postsSee all blog posts
Why is it a good idea to split sites across different hosting accounts?Read more
Multiple websites on one server is a threat that can have different faces. Find out what the most important ones are and see why you should split your sites on different hosting accounts.
How do you get your website ready for Black Friday or more traffic?Read more
Too much website traffic can be as disastrous as no traffic at all. A traffic disaster results in server overload. In such a situation, no one is able to use e.g. your online store’s offer, and you do not earn. Learn how to optimally prepare your website for increased traffic.
Password management or how not to lose your dataRead more
Do you have a bank account? Use the internet with your smartphone? Congratulations! Then you are on the brighter side of the power, where digital exclusion does not reach. But can you take care of the security of your data as effectively as you invite your friend for a beer via instant messenger?