Picking a Certificate Authority (CA) seems easy enough right? One quick Google search on how to obtain an SSL Certificate for your website or an S/MIME Certificate for email encryption will give you plenty of websites that offer you cheap or even free digital certificates. I know getting something for free is great…until you run into any issues, that is.
Price is one of the most common deciding factors when comparing CAs, but should it be? When the security and reputation of your company depends on it, do you really want to just go with the cheapest solution?
IT professionals who regularly purchase digital certificates know there’s more to the decision than price alone. While they do need a solution that meets budgetary goals matched to their security goals, they also need to ensure they are not risking their critical infrastructure, users and brand reputation with a no-name, no-frills company. There is so much more that goes into choosing a CA.
1. Ubiquity, Longevity and History
You want to make sure to choose a CA whose roots and trust anchors are embedded in the most browsers, operating systems, applications and devices as possible. This is known as ubiquity. When you think about Public Key Infrastructure (PKI) relative to technology, the trust of any CA is only as good as where they’re embedded. This is critically important - nobody wants to switch to a CA where they have lower ubiquity or have challenges or issues with the trust anchors.
It’s also important to consider the history of the company and how long they’ve been in business. If a CA has been around for 20 years, there’s probably a good reason for that. They’ve worked hard to build a positive reputation and trust with their customers and they have proven they can also leverage that experience and expertise to make the best solution recommendations.
2. The Platform
The function of the platform is tremendously important because you are going to be interacting extensively with the online portals. The user interface and ease-of-use, support for different workflows and flexibility of the portal are extremely important in daily use.
You want the platform to allow an administrator or user to order certificates easily through the normal workflows, but also have the ability to extend those permissions to a greater audience. For example, you could allow other employees or departments to request certificates without giving them access to the full portal by providing a public ordering page that requires approval before certificates are issued.
Beyond the initial ordering process, the platform should simplify ongoing lifecycle management.
- One-click renewals,
- access to all certificate types from one account,
- the ability to quickly report on and find any certificate in your inventory,
- prominent warnings for expiring certificates or domains.
- These are the types of features you should look for that are going to make your life much easier in the long run.
Having a robust set of APIs is another must-have feature for many, allowing them to build a custom request workflow that will make an API call to the CA system. This makes certificates easy to consume and easy to access by authorized IT personnel or administrators.
3. Easy to do Business With
You want to make sure that the CA is easy to do business with from a commercial terms perspective. You will be getting agreements and licensing deals - flexibility is really important here. Obviously, everyone is concerned with cost and making sure they’re getting the best value for their dollar. Finding a CA that offers flexible purchasing terms, like pay-as-you-go, where you would use a credit card and order certificates on-demand without any commitments to quantities, or a bulk balance model, which works just like a bank account where you can load money into your account and order any type of certificate, is essential.
This works in tandem with the platform because, as mentioned above, you want to make sure you can order all different types of certificates in the same place. So, once the terms and pricing have been set, you can get all types of certificate as you need them directly from the platform without going back and forth with the CA.
Making sure that the money you’ve loaded into your account rolls over each year is an absolute must. There should be no “use it or lose it”. This is one of the biggest concerns from organizations where they may have already lost money, tokens, or units with other CAs because they may expire., This is very problematic because nobody wants to lose money. So, a bulk balance rollover policy is something to look for.
Because SANs (Subject Alternative Names) are the building block of all certificates, licensing models like SAN licensing is one of the best ways to price certificates and another option to consider. You want a pricing model that is incremental based on the number of SANs you are using. This is extremely useful for companies with pre-production and development environments. You can issue and refund these SANS as you do testing without losing them.
It’s critical to not only evaluate the company’s support system (like how easy it is to get help if you need it) but something that is often overlooked, the day-to-day interaction with salespeople or account managers. These people can act as a liaison between different parts of their organization, like vetting or sales engineering, if there are particularly difficult situations.
The account management team should be able to triage with the various support teams to make sure they can solve any issues you may be having as well as offering true and helpful advice on how to best use their products to meet your needs in the most cost-effective manner.
5. Innovation and Automation
As your company grows, you need to make sure that your CA is able to scale and grow with you, especially if you’re involved in the IoT (Internet of Things) space. You should have a CA that has high volume capabilities to help you meet the use cases of the future. You may find yourself in need of a CA who can issue thousands of certificates per second and you want to make sure that if you’re ready, that the CA is able to facilitate that.
Automated lifecycle management is an absolutely integral part of what a great CA does. All of your certificates and credentials have a start and end date; you don’t want a certificate to unexpectedly expire. An expired certificate can cause lots of serious problems and have huge revenue and customer service implications. A CA should be able to handle the full lifecycle of your certificates automatically.
Integrations with other enterprise systems, such as Active Directory or Mobile Device Management (MDM) platforms, and support for protocols like SCEP and ACME can play a critical role in this type of automation and allow you to automatically issue, install, renew and revoke certificates based on your corporate policies.
A Note on the CA Industry Right Now
There’s been a few shake-ups in the industry in the past couple of months, including a lot of consolidation with DigiCert acquiring the assets of Symantec and other brands, and recently with Comodo being acquired by a private equity firm. I think there are some underlying nuances when choosing a CA to be mindful of with transactions like this, as they may have future implications. It is important to make sure you’re choosing a CA that you can depend on, and can continue to do business with for a long time without any surprises or change.
When you’re choosing a CA, there are plenty of things you need to be looking for, but you should ultimately trust that provider. You are trusting them with your security and reputation of your company. You want to make sure they are supported in all of the operating systems, devices, and browsers. You want a platform is easy to use and robust enough to cover all of your needs.
Make sure that they’re easy to do business with and have flexible models that fit your needs from both a use case, as well as a budgetary standpoint. They should have top tier support for not only when things go wrong, but also day-to-day interactions with a knowledgeable account manager who can adapt their products to your specific enterprise needs. You also want a CA who can grow with you when you’re ready and just like any vendor, you want to make sure they’ll always be there for you, ready to help.
What’s most important to you when it comes to choosing a CA? Let us know below or @GlobalSign.