Ssl – How to decide where to purchase a wildcard SSL certificate

certificate-authoritySecuritysslssl-certificate

Recently I needed to purchase a wildcard SSL certificate (because I need to secure a number of subdomains), and when I first searched for where to buy one I was overwhelmed with the number of choices, marketing claims, and price range. I created a list to help me see past the marketing gimmicks that the greater majority of the Certificate Authorities (CAs) and resellers plaster all over their sites. In the end my personal conclusion is that pretty much the only things that matter are the price and the pleasantness of the CA's website.

Question: Besides price and a nice website, is there anything worthy of my consideration in deciding where to purchase a wildcard SSL certificate?

Best Answer

I believe that with respect to deciding where to purchase a wildcard SSL certificate, the only factors that matter are the first year's cost of an SSL certificate, and the pleasantness of the seller's website (i.e. user experience) for the purchase and setup of the certificate.

I am aware of the following:

Claims about warranties (e.g. $10K, $1.25M) are marketing gimmicks - these warranties protect the users of a given website against the possibility that the CA issues a certificate to a fraudster (e.g. phishing site) and the user loses money as a result (but, ask yourself: is someone spending/losing $10K or more on your fraudulent site? oh wait, you are not a fraudster? no point.)
It is necessary to generate a 2048-bit CSR (certificate signing request) private key to activate your SSL certificate. According to modern security standards using CSR codes with private key size less than 2048 bits is not allowed. Learn more here and here.
Claims of 99+%, 99.3%, or 99.9% browser/device compatibility.
Claims of fast issuance and easy install.
It is nice to have a money-back satisfaction guarantee (15 and 30 days are common).

The following list of wildcard SSL certificate base prices (not sales) and issuing authorities and resellers was updated on May 30th, 2018:

 price |
/ year | Certificate Authority (CA) or Reseller
($USD) |
-------+---------------------------------------
    $0 | DNSimple / Let's Encrypt *
   $49 | SSL2BUY / AlphaSSL (GlobalSign) *
   $68 | CheapSSLSecurity / PositiveSSL (Comodo) *
   $69 | CheapSSLShop / PositiveSSL (Comodo) *
   $94 | Namecheap / PositiveSSL (Comodo) * (Can$122)
   $95 | sslpoint / AlphaSSL (GlobalSign) *
  $100 | DNSimple / EssentialSSL (Comodo) *
       |
  $150 | AlphaSSL (GlobalSign) *
  $208 | Gandi
  $250 | RapidSSL
  $450 | Comodo
       |
  $500 | GeoTrust
  $600 | Thawte
  $600 | DigiCert
  $609 | Entrust
  $650 | Network Solutions
  $850 | GlobalSign
       |
$2,000 | Symantec

* Note that DNSimple, sslpoint, Namecheap, CheapSSLShop, CheapSSLSecurity, and SSL2BUY, are resellers, not Certificate Authorities.

Namecheap offers a choice of Comodo/PostiveSSL and Comodo/EssentialSSL (though there is no technical difference between the two, just branding/marketing - I asked both Namecheap and Comodo about this - whereas EssentialSSL costs a few dollars more (USD$100 vs $94)). DNSimple resells Comodo's EssentialSSL, which, again, is technically identical to Comodo's PositiveSSL.

Note that SSL2BUY, CheapSSLShop, CheapSSLSecurity, Namecheap, and DNSimple provide not only the cheapest wildcard SSL certs, but they also have the least marketing gimmicks of all the sites I reviewed; and DNSimple seems to have no gimmicky stuff whatsoever. Here are links to the cheapest 1-year certificates (as I can't link to them in the table above):

As of March 2018 Let’s Encrypt supports wildcard certificates. DNSimple supports Let's Encrypt certificates.

Best Answer

Related Solutions

Linux/Unix – SSL Certificate Location Guide

Ssl – Wildcard SSL certificate for second-level subdomain

Related Topic