The SSL/TLS Market is growing as companies realize the importance of encryption in cybersecurity best practices. A range of certificate types, solutions, add-ons and services can be found from numerous Certificate Authorities (CAs) located all over the world.
If you are buying SSL/TLS Certificates and have started researching vendors online, you have probably already encountered a wide range of certificate types, packages, solutions and other certificate options. Deciding what to purchase can get quite complicated. My aim in writing this blog is to highlight some of the costs that go into issuing SSL/TLS Certificates and how those costs are covered by the issuing CAs.
Most of the largest international CAs offer three levels of assurance for their SSL/TLS Certificates.
- Extended Validation (EV) SSL – checks right of the applicant to use domain and strict organizational vetting.
- Organization Validated (OV) SSL – checks right of the applicant to use domain and some organizational vetting.
- Domain Validated (DV) SSL – checks right of the applicant to use domain.
The higher the assurance level of the certificate, the more validation is performed before the certificate is issued and the more time and resources needed from the issuing CA’s vetting department. EV SSL Certificates require the most due diligence, as our vetting team will check that you own the domain, that your organization is a real organization, that the organization exists in official records and has a physical presence and that it has the right to the domain.
Any sites which enable secure payment transactions will need and demand the highest assurance certificates, which enable the ‘green bar’ (depending on the browser and version you are using) displaying their company name. Website visitors will see this as a sign that they can trust the site and the site will benefit from an increases in brand awareness. In comparison, a DV SSL Certificate only requires a CA to check that you can demonstrate administrative control over the domain and website visitors will typically see just a padlock.
Security and Phishing Checks
Certificate Authorities like GlobalSign take great pride in their reputation so they spend time and money investing in comprehensive tools and human processes to identify and reject certificate requests from malicious actors. Those CAs that do not maintain high levels of data checking can reduce their costs at the expense of miss-issuing certificates or at the expense of securing phishing or malware sites. This can in turn have a negative impact on the reputation of the CA and the certificates that they issue.
The types of support offered by CAs vary greatly and could cover anything from forums (open source), web support via FAQs, email and phone. Support may be provided only in the local language, or support may be provided in multiple languages. The hours of operation also vary from local business hours up through 24x7. The cost of providing support depends on the type, hours and languages of the support service.
CAs that enable web-based ordering, reporting and online documentation may also want to offer those in multiple languages. This incurs a cost to the CA.
One of the main benefits of purchasing an SSL/TLS Certificate from a commercial CA is that they offer SSL/TLS Certificates that are trusted by a wide variety of browsers, mobile devices, gaming platforms SDKs and other various devices. CA’s spend a lot of time and money assuring their root certificates are embedded in as many devices as possible to provide customers with the most ubiquitous and widely accepted SSL/TLS Certificates.
Another significant factor affecting costs, is the cost of meeting the requirements and maintaining compliance with industry audit criteria, as well as supporting the cost of annual audits. All commercial CAs with roots in the major browsers need to pass WebTrust or ETSI audits in order to maintain their roots. Without their roots in these major platforms, the certificates issued by the CA would have little value. These audits require that all CAs document their processes and then follow them from employment background checks, local office security, duties of those in trusted roles and operational and data center policies and procedures. Setting up the policies and the supporting the audits is a large time commitment on top of the already pricey audit costs.
This same concept applies to government or regionally sponsored CAs, which generally have their own specialized features, audit procedures and security requirements that will add to their costs.
Of course with a CA there will be development and infrastructures costs to create and operate applications that enable certificate ordering, management and issuance as well as a providing a reliable revocation service.
CAs require multiple secure data centers with specialized racks of web, database and CA servers, network devices and HSMs to support issuance and management of millions of certificates a year.
CAs are also required to be constantly innovating and providing new services in order to meet the changing needs of consumers and the fast pace developments in IT and technology. For every new platform or technology there may be an opportunity for SSL/TLS encryption as well as a customer base who will need to ensure their service is secure.
Some CAs provide warrantee to their certificate subscribers to cover errors in identification, loss of documents or intentional or accidental errors. This provides an added value to their customers, but comes at the cost of either an insurance policy or corporate liability if self-insured.
How Do CAs Cover These Costs?
Customers purchasing SSL/TLS Certificates need to understand the full scope of CAs costs and understand how they fulfilled. The costs can be passed on in the form of certificate prices, subscription fees, set-up fees, support contracts, sponsorship levels, bundling with other products or services, CA hosting fees etc. Even “free” CAs need revenue to pay for their costs using one of the above.
Before buying a certificate it is worth weighing up all the factors I have mentioned above and look at the factors that will have importance for you. Ask yourself:
- How much does the reputation of the CA matter to you or your customers/web visitors?
- What type of SSL/TLS Certificate do you need?
- Can one CA provide all of your SSL/TLS needs, or will you need to engage with multiple CAs to meet all of your requirements? What level of support will you need and what languages need to be supported?
- Is the Root certificate being used to issue SSL/TLS Certificate trusted by all of your anticipated web site visitors?
- Does the CA offer the level of warranty your business needs?
If you have looked into all of this and decided that GlobalSign is the right CA for you, then visit our SSL Certificate page to find out more and purchase a certificate. Otherwise feel free to use the comments or our Twitter to ask us any questions regarding this blog post.