Buy a certificate now!
Contact us about Thawte certificates

Types of server certificate

Back (The basics) : FAQ Home : Home : On (Money, money, money)



What is an SSL Web Server certificate?

An SSL Web server certificate is a fully-authenticated certificate which includes the following information:
  • The name of the person or organisation to whom it has been issued (the Organisation field)
  • The part of the organisation or the trading name to which it has been issued (the Organisational Unit field)
  • The country in which the person or organisation is based
  • The state, province or county in which the person or organisation is based
  • The town or city in which the person or organisation is based
  • The name of the server to which the certificate will enable secure connections - e.g. secure.herald.co.uk (this is the Common Name field).

The certificate will also include a public key belonging to the person or organisation to whom the certificate has been issued.

The certificate is signed by the Thawte Premium Server CA root certificate and will be accepted as a trusted certificate by any software or browser which includes that root certificate (in practice this should be all current software which uses SSL)

Why might I buy an SSL Web Server certificate? Why might I not want to buy an SSL Web Server certificate?

You might buy an SSL Web Server certificate to use for:
  • online shopping/e-commerce
  • transmission of other sensitive data
  • extranet/intranet use
  • use with mobile devices

You might not buy an SSL Web Server certificate if:

  • you are expecting significant traffic from people using older browsers, and you want/need to offer those people strong encryption (consider a SuperCert instead)
  • you are securing an application that will be used only by your own staff, or by people with whom your organisation has an existing relationship (consider an SSL123 certificate instead)
  • you are securing a server-to-server application (consider an SSL123 certificate instead, since servers will not generally check the content of the certificate beyond the server name)
  • you need better brand protection/awareness than the SSL Web Server certificate offers (consider an Extended Validation (EV) certificate instead)
  • you need to secure multiple servers under the same domain (consider a wildcard certificate)
  • you need to secure a private IP address (consider an SSL123 certificate instead)

What is an SSL123 certificate?

An SSL123 certificate is a domain-validated certificate which includes the following information:
  • The name of the server to which the certificate will enable secure connections - e.g. secure.herald.co.uk (this is the Common Name field).

The certificate will also include a public key belonging to the person or organisation to whom the certificate has been issued.

The certificate is signed by the Thawte Server CA root certificate, and will be accepted as a trusted certificate by all software or browsers which include that certificate (in practice this should be all current software using SSL).

Why might I buy an SSL123 certificate? Why might I not want to buy an SSL123 certificate?

You might buy an SSL123 certificate to use for:
  • Outlook Web Access or other webmail applications
  • use with mobile devices
  • intranets, extranets, Sharepoint etc.
  • cases where you cannot easily prove the existence of a trading or business name, but still require security for your site
  • cases where you cannot easily prove ownership of the domain under which you require the certificate, but do have access to mail at that domain (i.e. you have use of the domain but perhaps not clear ownership)
  • server-to-server applications (e.g. mail servers)

You might not buy an SSL123 certificate if:

  • you are expecting visitors to your site with whom you do not have a prior relationship, and who might therefore want to check to whom they are sending their data (consider an SSL Web Server certificate, SuperCert or EV certificate instead)
  • you do not have email addresses visible in the WHOIS data for your domain (e.g. .co.uk domains) and cannot receive email at your domain (consider an SSL Web Server certificate instead)
  • you require a fully-authenticated certificate (consider an SSL Web Server certificate, SuperCert or EV certificate instead)

What is the difference between an SSL Web Server certificate and an SSL123 certificate?

There are two differences between an SSL Web Server certificate and an SSL123 certificate; one major, one minor.

An SSL Web Server certificate is what is called a fully-authenticated certificate. (This is also true of SuperCerts, Extended Validation (EV) certificates and wildcard certificates -- in fact all of the other types of server certificates that Thawte sells, except for the SSL123 certificate). This means that:

  • the certificate contains information relating to the person or organisation to whom it was issued, as well as to the server name for which it was issued. This information usually includes the person or organisation's name and location details;
  • Thawte have taken steps to confirm that the information contained in the certificate is correct as of the date that the certificate was issued, and have confirmed with the person or organisation concerned that the certificate should be issued.

(Note that this does not mean that Thawte have validated the organisation's business practices.)

In contrast, a domain-validated certificate such as the SSL123 certificate does not contain data relating to the organisation to which the certificate was issued. Such a certificate only contains the server name for which the certificate was issued. Thawte has not verified any trading information or organisational information relating to that domain, only that the person or organisation requesting the certificate can receive mail either at a mailbox associated with the domain at the domain's registry (usually this means a mail address listed in the WHOIS details for the domain), or at a system-level or role account mailbox at the domain itself (e.g. administrator@example.com).

What is a SuperCert?

A SuperCert contains the same information as an SSL Web Server certificate and works in the same way, except that it can force some older browsers to use stronger encryption than they might otherwise be capable of using. It's aimed at organisations who need to provide the highest available levels of security for as many of their users as possible.

There is some slightly more technical discussion about the differences between an SSL Web Server Certificate and a SuperCert available on this page.

Why might I buy a SuperCert? Why might I not want to buy a SuperCert?

You might buy a SuperCert if:
  • you need to provide strong encryption to your visitors, and you are expecting significant numbers of visitors to be using older browsers

You might not buy a SuperCert if:

  • all the visitors to your site are using relatively modern browsers (consider an SSL Web Server certificate or EV certificate instead)
  • secure connections to your site are using technology other than browsers (the technology which causes older browsers to be pushed up to stronger encryption levels is specific to web browsers and not generally found in other technology)
  • you are serving mobile users (many mobile devices have difficulty with chained certificates, and the SuperCert is a chained certificate; consider an SSL Web Server certificate or an SSL123 certificate instead, neither of which are chained)

What is an Extended Validation (EV) certificate?

Extended Validation certificates are a relatively recent innovation. They are issued only after even more rigorous checks than the standard authentication process. They produce a visible green address bar in IE7 which includes the server name, the name of the organisation to which the certificate was issued, and the name of the certification authority who issued the certificate (in this case, Thawte).

More information about EV certificates can be found here.

Why might I buy an Extended Validation (EV) certificate? Why might I not want to buy an EV certificate?

You might buy an EV certificate if:
  • you require visible proof that your certificate has been issued with the highest standard of authentication (e.g. financial institutions)

You might not buy an EV certificate if:

  • you are a UK sole trader or partnership (you have to be registered with a central authority to be eligible for an EV certificate, which rules out UK sole traders and (non-limited) partnerships) - consider an SSL Web Server certificate
  • you have a need for your certificate to be issued quickly -- the EV authentication generally takes considerably longer than that for other types of certificate (consider an SSL Web Server certificate or, in extreme cases, an SSL123 certificate)
  • your certificate will be used to secure server-to-server traffic only (consider an SSL123 certificate)
  • you are serving mobile users (as with SuperCerts, EV certificates are chained certificates, and many mobile devices have problems with chained certificates; consider an SSL Web Server certificate or SSL123 certificate instead)
  • you require both extended validation and step-up technology as used in SuperCerts (Thawte does not have a product that combines both of these -- speak to Verisign)

What is a wildcard certificate?

A wildcard certificate is a certificate that can secure multiple server names under the same domain. It is issued to (for instance) *.example.com, and could then be used to secure secure.example.com, customers.example.com and www.example.com. (But it won't necessarily work for secure1.something.example.com -- that is browser-dependent.)

It does not allow you to secure multiple instances of the same server name across multiple physical servers, for instance in a load-balancing situation; for that, you need a normal certificate plus additional licences.

Normally it makes financial sense to consider a wildcard certificate if you have more than four or five servers under the same name which need to be secured. You might consider a wildcard certificate with fewer servers if you have fewer IP addresses than servers that you need to secure; normally you require a separate IP address for each server you are securing, whereas a wildcard certificate requires only one IP address for all the servers it secures. (If you're not sure whether this applies to you or not, contact us.)

Why might I buy a wildcard certificate? Why might I not want to buy a wildcard certificate?

You might want to buy a wildcard certificate if:
  • You want to secure more than four or five multiple server names under a single domain on one, or a relatively small number of, physical server(s).
  • You want to secure fewer multiple server names than this, but are restricted to fewer IP addresses than you would otherwise require.
  • You want to be able to add new secured servers under the same domain without needing to deploy a new certificate for each of them.

You might not want to buy a wildcard certificate if:

  • You are running multiple servers but spread across a relatively large number of physical servers (consider separate certificates instead)
  • You want to secure fewer than four or five names (separate certificates will probably work out cheaper for you)
  • Your server software will not support it (a very few do not; Plesk requires some coaxing to generate the correct signing request, WebLogic does not support wildcard certificates, and we've seen problems with Apache on Macs)
  • You are supporting users who are still using Windows 95 or Windows 98 (the wildcard certificate contains Unicode characters, and Win95/Win98 do not support those in certificates)

What is a test certificate?

Thawte supply free certificates for testing purposes, which have 21-day validity and which are signed with the Thawte Test Server CA root certificate.

Note that this root certificate is NOT embedded in browsers by default, and thus someone browsing to a website using a test certificate will see a warning that the certification authority which signed the certificate is not recognised by the browser.

Why might I want a test certificate?

Most usually you would request a test certificate to make sure that you were comfortable with the process of generating your CSR and with the process of installing a certificate. They are not designed for use in live systems!


Back to top : FAQ Home
Buy a certificate now! : Contact us about Thawte certificates

Last updated: March 25th 2008
Last checked: March 25th 2008

© Copyright Herald Information Systems, 1999 - 2008.

[home]
[clients]
[services]
[new]
[links]
[contact]