Deciding what kind of SSL your site needs is one thing; choosing where to get it from is quite another. During your research, you’ve probably come across Certificate Authorities (CAs) such as Comodo SSL and wondered, “What is it they do anyway? Does it matter what CA I go with?” The answer to your question is yes, yes, it does.
Here’s why.
What CAs do
CAs are basically responsible for ensuring everything in the SSL ecosystem runs smoothly. They create, revoke, manage, and verify anyone requesting an SSL certificate. Verification is important because it ensures that anyone requesting an SSL meets certain criteria. For example, anyone requesting a business validation SSL will be vetted thoroughly, from company premises to government records, to ensure they’re legit. The CA will then vouch for them by signing their issued SSL with its own root certificate. This root certificate digital signature is a stamp of approval that lets applications like web browsers know that they can trust this business and their SSL and foster an SSL-secured connection.
Why a bad CA can hurt your site
As you’ve probably gathered from the last section, a CA’s work is a pretty big deal. Because of that, trust is integral to the SSL ecosystem. A lot of software online and off utilizes SSL security; for it to function, they must trust the root CA. A common, everyday example of this is web browsers. It may seem like browsers will initiate a secure connection with any website that has an SSL, but that isn’t the case. Secure connections between a server and web browser are initiated through a process known as the SSL handshake. This is a pretty technical process, so we’re not going to get into everything involved, but a huge part of it involves the authentication and authorization of both parties. The browser checks that a trusted CA signed the SSL certificate. If it’s trusted, the encrypted connection begins.
But what if it’s not trusted?
Simple. Your site won’t work.
There are a lot of strict protocols a CA must abide by in order to be considered trustworthy. So if a CA is caught engaging in shady behavior, companies will not trust them anymore. In the web browser example, this will result in the browser rejecting initiating an encrypted connection and even sending warning messages to users stating that the site they want to visit is not secure. Which would be especially sucky after you went through all the trouble of buying an SSL, only for it not to work.
Ensure this won’t happen by only buying SSL from a reputable CA.