SSL Certificate Options

In order ensure a client has end-to-end security when connecting to a website, an SSL certificate is issued to the server which guarantees the authenticity of the host. This is check is usually done seamlessly behind the scenes by a browser. There are a variety of different types of SSL certificates that can be installed for different purposes.

The certificate types offered to sites hosted by the BC Government include:

• Standard SSL - single domain name.

• Advantage SSL - two domain names.

• Extended Validation - provides additional validation to the browser certifying the organization.

• Unified Communication Multi-Domain - secures multiple domains, subdomains, or hostnames.

• Code Signing - applicable to sites wishing to distribute code, and validate installed applications.

• Wildcard - secures many sites within a subdomain (*.domain). Applicable for mass virtual web hosting architectures, for example shared web hosting, reverse proxies, and dedicated web hosting with many related websites. Requires additional scrutiny as there are additional security considerations compared to other certificate types.

• Private - appropriate for internal servers (such as server.dmz). Requires root cert to be distributed to customers.

In most cases for government sites, a Standard or Advantage certificate should be sufficient. If the site has subdomains, it may be less clear as to the best route. Some questions that may naturally arise when deciding on a certificate type include:

• What is the cost?

  • Standard - $200 per year.

  • Multi-domain - The basic license is $530/year. This includes the primary DN and the www. prefix, plus the first 4 additional DNS names in the SAN extension. After that, additional DNS names are $75/year, up to a maximum of 255 DNS names.

  • Wildcard = $1000 per year.

• What is the request/renewal process like?

  • for each type of certificate, this procedure needs to be followed.

  • For a wildcard certificate, an additional approval is required when requesting for the first time.

• What’s the distribution process like across multiple sites?

  • For each type, the certificate needs to be distributed after issuance to each host. For multi-domain, the certificate also needs to be re-issued and re-distributed to every site every time a new domain is added to the certificate, which is an important consideration if you plan on adding sites after the initial certificate is created.

It is important to consider these difference when determining the appropriate certificate for you subdomains. There can be considerable cost savings as you add domains to a certificate; however, you should also consider the administration effort of distributing certificates if your domains are being added over time.