Today I Learned Cloud

Most people, when working with the cloud, come to a point where they need to setup and install an SSL certificate for their webserver or load balancers or other systems that need traffic to it encrypted. This used to be a lot more difficult than it is today. Today for most certificate needs, this can be done for free, whereas in the past this could cost hundreds of dollars a year to get a verified certificate.

Let’s Encrypt

One of the first services to start offering free SSL certificates was Let’s Encrypt. This is a non profit organization which is sponsored by an incredibly large number of companies, including the likes of Mozilla, Facebook, Google, Verizon, IBM, and many more. This certificate authority is currently powering the SSL certificates of over 200 million websites. They have also issued over one billion certificates! The service itself is provided by the Internet Security Research Group (ISRG).

The main benefit to Let’s Encrypt is that it is free and available to anyone that owns a domain. As long as the user can prove they control the domain, they are able to receive a certificate. The updates to the certificate can also be configured to happen automatically. This is a huge benefit when managing many servers, as the manual overhead of updating certificates once they expire is no longer there.

These days, the certificates generated by Let’s Encrypted are trusted by almost every browser that a potential user may be using when visiting your domain. This has helped with the popularity of Let’s Encrypt because it lets these free certificates just work.

The one drawback of Let’s Encrypt is that they only offer domain validation (DV) SSL certificates. They do not offer Organization Validation (OV) certificates and they do not offer Extended Validation (EV) certificates. In order to get one of these certificates, which is considered more secure by some, you’re likely going to have to fork out some money for the privilege as well as do a little more leg work to prove legal entity status. However, with an extended validation certificate, most browsers will show a green bar or symbol in the browser URL bar to give the user an indication that the site is considered more secure than normal.

Namecheap

What happens if you would like to get an Organization Validation (OV) certificate for your current setup. One company that offers these types of certificates, and one that I have personally used before, is Namecheap. They also offer Domain Validation (DV) certificates, but if your are going to pay for an SSL certificate it likely makes more sense to get an SSL certificate with a little more validation.

Currently the pricing for these types of certificates on the Namecheap website vary between around $20 per year to for the InstantSSL version, to around $53 per year for the PremiumSSL version. This is much cheaper than other Organization Validation (OV) certificates that you will find on the web. Also, the multi domain or wildcard versions of these certificates will cost more as they apply for multiple domains or sub domains. However if you have a need for these types of certificates for many domains, it may be cheaper than buying a distinct certificate for each one.

For an even more extensive and premium SSL certificate offering, they offer the Extended Validation (EV) certificates as well. The current pricing for these certificates can vary between about $60 for the year for a single domain and $125 for the year for a multi domain SSL certificate.

So what is the difference between the Organization Validation (OV) certificate and the Extended Validation (EV) certificate? Well the Organization Validation certificate is only issued if two conditions are met. The first being that the user is able to prove administrative control of the domain, and the second being that the user is able to prove the valid existence of the legal entity purchasing the domain. The main difference between this and the extended validation certificate is that the extended version requires manual verification of the legal entity status and are only issuable by a subset of the certificate authorities.

So for the added cost, and work in getting issued one of these certificates, some users may find them beneficial to pay for instead of getting a free Domain Validation certificate. It all depends on how much trust the end user expects, or requires, with the site or service using the certificate.

IONOS by 1and1

Another company that I’ve used in the past when purchasing premium SSL certificates is IONOS by 1and1. They offer all the same types of SSL certificates as previously described with Namecheap, but may work better for some users, especially if they already have some domains and hosting setup or purchased with this company already.

For single domain SSL certificates with IONOS, the cost will currently run around $70 per year for an Organization Validation (OV) Certificate. With the Extended Validation (EV) certification, the cost with IONOS will currently run about $200 per year. They both offer up to 256 bit encryption with these certificates and the Organization Validation certificate shows the green padlock display in most browsers. However the Extended Validation certificate will show the green bar display to give the end user even more confidence of the security that is in place for the given site or service.

It appears that IONOS currently only offers the wildcard certificate for Organizational Validation and not for Extended Validation. The current pricing for the wildcard OV certificate is $300 per year. There is no offering for either of these types of certificates with the multi domain support.

Amazon Certificate Manager

Another free option available to Amazon Web Services users is the Amazon Certificate Manager. Using this option is only really an option if you are running services on the Amazon cloud. This service is deeply integrated with Amazon Web Services. This service will again use Domain Validation (DV) certificates and can be linked with domains purchased via the Amazon Route 53 service, or domains that are setup to use the Route 53 nameservers.

When running services with AWS and when configuring the DNS for that domain with the Amazon Route 53 service, this is usually the service I end up using for my SSL certificate needs. It’s very simple to verify ownership with this setup as everything is already setup and configured in Amazon Route 53. Once the domain is verified, you can start using the certificate with other Amazon services.

For example, if you are hosting a website from an S3 bucket, but using Amazon Cloudfront as a content distribution network to that bucket, you are able to configure CloudFront to use the domain validated certificate that was generated by Amazon Certificate Manager. This make hosting and serving a secure site with Amazon Web Services incredibly cheap and easy. The best thing is that Amazon takes care of all of the work related to certificate renewal and updates required to the services they are attached to.

Another service where Amazon Certificate Manager has great integrations with is the EC2 load balancer service. During configuration of the elastic load balancer, a certificate generated by Amazon Certificate Manager can be used to secure the endpoint of the load balancer. This works much like the CloudFront configuration previously described.

Final Thoughts

SSL Certificates are used daily for most services hosted on the web. Google has even started to penalize websites that are not encrypted by SSL certificates. This is mainly because domain validated certificates can be issued for free these days.

However, if the site or service you are currently working on needs to show a bit more security to the end users using that site or service, it can make a lot of sense to purchase one of the Organizational Validations (EV) certificates or the Extended Validation (EV) certificate. It really just depends on you and your customers needs to make the experience the greatest for both. For the relatively small cost for these types of certificates, and the extra piece of mind, it can make a lot of sense to pay for one when needed.