The Top 5 Most Popular SSL Certificate Authorities Reviewed

As the internet moves towards a more secure and privacy-respecting web with HTTPS a standard feature of all websites, it’s more important than ever that site admins get a hold of an SSL certificate from a registered certificate authority.

Let’s Encrypt is probably the most well-known certificate authority right now since it’s issuing certificates for free for the public’s benefit. But there are plenty more certificate authorities out there providing similar services.

So which one is the best?

To help you decide on the right certificate authority for you, in this post, we’ll cover how to choose the right one for your needs and provide a side-by-side comparison of the top five certificate authorities.

What to Look Out for in a Certificate Authority

When it comes to choosing a Certificate Authority (CA), it comes down to knowing what you need and which CA has it.

To help you decide, here are the main types of SSL certificates to choose from:

  • Domain Validation (DV) – Certificates that are quick to be issued since only the domain is verified for legitimacy.
  • Wildcard – The root domain and its sub-domains can be included in a single certificate.
  • Extended Validation (EV) – Distinguishable by the browser’s address bar being colored green as opposed to only the https text. Both the legal identity of the business or organization and domain needs to be verified for legitimacy.
  • Unified Communications (UC) – Used for encrypting the connection for use with email and other communication software. Multiple domains can be included in one certificate, and it’s also a type of Subject Alternative Name certificate.
  • Subject Alternative Name (SAN) – The root domain and related domains that are linked can be included under one certificate
  • Wildcard – A certificate that includes the root and its sub-domains.
  • Organization Validation (OV) – Similar to extended validation certificates where both the legal identity of the business or organization and the domain is verified for authenticity, except it doesn’t include a green address bar.

There are also different kinds of encryption that you may come across when searching through different Certificate Authorities:

The higher the bit rate of encryption, the better the security. Although, ECC is stronger than RSA, so an ECC 256-bit certificate is stronger than an RSA 2048-bit certificate.

The difference between RSA and DSA is that the former is faster at validating signatures, which are encrypted keys that are used in the process of issuing an SSL certificate. RSA is also slower at creating signatures. DSA encryption is the opposite since it’s faster at creating signatures, but it’s slower when validating them.

Knowing the difference between the most common types of certificates is a start, but now it’s time to determine which kind of certificate you need.

Which Certificate Do I Need?

As a general rule of thumb, here are the types of sites that commonly need each kind of certificate mentioned above:

  • Domain Validation – Any WordPress site, any site that has a form or basic sites
  • Extended Validation – eCommerce, business or organization sites or any site that wants to present themselves as extremely trustworthy
  • Unified Communications – For email servers and it’s also a requirement for Microsoft Exchange
  • Subject Alternative Name – You have multiple domains that are all related but aren’t necessarily sub-domains and can include email or IP addresses, DNS name or URL
  • Wildcard – For WordPress Multisite networks set up with sub-domains
  • Organization Validation – Business or organization sites which need to appear as trustworthy

Now that you have a better idea of the kind of SSL certificate you need, let’s take a look at which of the top Certificate Authorities can fill your encryption requirements.

Top 5 Certificate Authorities Reviewed

There are many Certificate Authorities on the market, but these are the top five most popular options. Below is a review of each of them based on five categories: price, the variety of the certificates offered, the warranty that’s included with certificates, compatibility across browsers and mobile devices and the included features.

All of these Certificate Authorities issue certificates that work and that are secure. That’s why there isn’t a category in the review for security. It all comes down to your needs and the specific features and capabilities that are included when a certificate is issued from these five options.

Note: The details and warranty dollar amounts included for each Certificate Authority are accurate at the time this review was published.

Let’s Encrypt

Let's Encrypt site

Let’s Encrypt is an open source Certificate Authority that’s backed by companies such as Automattic, Mozilla, Sucuri, SiteGround, Facebook, Chrome and many more. It offers RSA 2048-bit encryption with ECDSA encryption currently in development.

Getting a DV certificate and renewal is free for everyone and you can have as many as you want. With the Certbot installer, you can also have multiple certificates up and running in seconds. Issuing a SAN or UC certificate can also be done by adding multiple names to an otherwise DV certificate.

Even though certificates are free, it doesn’t mean it’s not secure. As I mentioned earlier, It’s just as secure as most other Certificate Authorities so it’s a suitable option if you’re on a budget. Unfortunately (and understandably), free certificates don’t come with any kind of warranty or extra features.

It’s not the kind of certificate you can use for any given situation, but it’s a viable option for many sites that only require domain validation.

The Good

  • You can have as many certificates as you want for free
  • All renewals are free and can be automated
  • Certificates are issued instantly
  • Compatible with most major browsers and devices

The Bad

  • Only DV, SAN and UC certificates are available
  • There are obscure devices and browser versions that aren't compatible
  • No warranty is available
  • There aren't any additional features

Our Verdict

  • Price:
  • Certificate variety:
  • Warranty:
  • Compatibility:
  • Features:
  • Overall:

Comodo

Comodo's site

Comodo offers an RSA 2048-bit encryption for DV, wildcard and EV certificates. UC certificates have 128-bit or 256-bit encryption. It’s also the only Certificate Authority included in this review that offers premium SSL certificates with a free trial, though, the trial is only for a DV certificate.

Other than the free trial, there are four different types of certificates: DV, wildcard, EV and UC.

When you get an SSL certificate, it also comes with a warranty no matter which one you choose, but the amount varies between certificates.

One of the best features of Comodo is that you can choose to upgrade your certificate’s warranty if the largest amount isn’t already included. You can also get a Comodo logo to place on your site to build your visitors’ trust, but it’s only available for wildcard and EV certificates.

Other than that and customer support, there aren’t other additional features, but that’s reasonable given that it’s the most affordable option directly after Let’s Encrypt.

The Good

  • There's a free 90-day trial for a DV certificate
  • PCI and site scanning is free for one certificate
  • Warranties are available of $250,000 to $1,750,000 for certain certificates
  • You can upgrade the warranty on some of the certificates
  • It's the second most affordable option
  • Compatible with all major browsers and mobile devices

The Bad

  • Scanning features are only available for one certificate per account
  • A trust logo for your site is only included for wildcard and EV certificates
  • May not be compatible for less popular browser versions and mobile devices

Our Verdict

  • Price:
  • Certificate variety:
  • Warranty:
  • Compatibility:
  • Features:
  • Overall:

Symantec

Symantec's SSL page

Symantec is the most expensive Certificate Authority in this review, but it also comes with the most features. Each certificate includes ECC 256-bit encryption, a Symantec logo to place on your site, daily malware scanning as well as UC and DSA support for your certificates.

There are also five different types of certificates: Secure Site (DV), Secure Site Pro (DV), Secure Site Wildcard, Secure Site with EV and Secure Site Pro with EV.

Vulnerability scanning is an option, but only for Secure Site Pro, Secure Site with EV and Secure Site Pro with EV certificates. Symantec is also one of the Certificate Authorities that offer the highest warranties.

Although each certificate has a higher price point, they’re necessary for anyone who requires an SSL certificate that complies with certain standards of government agencies. It’s also a good option for high-profile or high-traffic sites.

The Good

  • All certificates come with a Symantec logo to place on your site
  • Nearly 100% compatibility with all browsers and mobile devices
  • DSA certificates are a core feature and meet certain government agency standards
  • Includes high warranties of $1,500,000 or $1,750,000.
  • Every certificate comes with daily malware scans and UC support

The Bad

  • Vulnerability scans are included with only certain certificates
  • The most expensive option of the Certificate Authorities in this post

Our Verdict

  • Price:
  • Certificate variety:
  • Warranty:
  • Compatibility:
  • Features:
  • Overall:

Digicert

Digicert's site

Digicert has mid-range pricing since it offers features for every certificate including a warranty of $1,000,000, free re-issues and a logo you can add to your site to built visitor confidence. It also supports RSA 2048-bit, 128-bit and 256-bit encryption.

There are five different types of certificates that are available: SSL Plus (DV), EV, Multi-Domain (UC/SAN), EV Multi-Domain and Wildcard Plus.

While Digicert’s certificates are compatible with all major browsers and mobile devices, there may be some versions or devices that aren’t supported but are also not widely used.

If you require a warranty rate that’s higher than the base amount that’s offered by some other Certificate Authorities and you also need a logo to place on your site for the type of certificate you need and it’s not supported elsewhere that’s within your price range, then it’s worth taking a closer look at Digicert.

The Good

  • Free certificate re-issues
  • Warranty of $1,000,000 for all certificate types
  • Compatible with all major browsers and mobile devices
  • All certificates include unlimited server licences

The Bad

  • May not be compatible with less popular browser versions and mobile devices
  • You need to sign on for multiple years to get a certificate discount

Our Verdict

  • Price:
  • Certificate variety:
  • Warranty:
  • Compatibility:
  • Features:
  • Overall:

GeoTrust

GeoTrust's site

GeoTrust is similar to Digicert as it also has mid-range prices for their certificates with features that set it apart from other Certificate Authorities such as unlimited server licences, free re-issues of certificates and you can issue up to 24 names per certificate and it doesn’t matter which one you choose.

GeoTrust also has five different certificate types: EV, wildcard, OV, wildcard with OV, and DV. Each certificate supports 2048-bit encryption for root domains and 256-bit encryption for all other names.

While GeoTrust certificates are compatible with over 99% of browsers, only major mobile devices are supported.

While most Certificate Authorities issue their own certificate for their site, the GeoTrust site has a Symantec certificate installed, despite selling certificates for businesses.

GeoTrust is a suitable certificate authority for businesses, but at the same time, they don’t seem to trust their own certificates on their own site so it raises a few questions and eyebrows. Still, they offer certificates suitable for small to medium-sized businesses and you can’t exactly fault them for knowing what they are and wanting a higher level of encryption than what they offer.

The Good

  • Free certificate re-issues
  • Compatible with major mobile devices and over 99% of browsers
  • All certificates include unlimited server licences
  • Warranties of $500,000 to $1,500,000 are available

The Bad

  • The GeoTrust site has has an issued certificate from Symantec
  • Can only issue up to 24 UC/SAN certificates
  • May not be compatible with all mobile devices and versions

Our Verdict

  • Price:
  • Certificate variety:
  • Warranty:
  • Compatibility:
  • Features:
  • Overall:

Comparing the Top 5 Certificate Authorities

Now that the five most popular Certificate Authorities have been reviewed, you can check out each of them compared side-by-side in each category.

Price

  • Let’s Encrypt Certificate Authority:
  • Comodo Certificate Authority:
  • Symantec Certificate Authority:
  • Digicert Certificate Authority:
  • GeoTrust Certificate Authority:

Certificate Variety

  • Let’s Encrypt Certificate Authority:
  • Comodo Certificate Authority:
  • Symantec Certificate Authority:
  • Digicert Certificate Authority:
  • GeoTrust Certificate Authority:

Warranty

  • Let’s Encrypt Certificate Authority:
  • Comodo Certificate Authority:
  • Symantec Certificate Authority:
  • Digicert Certificate Authority:
  • GeoTrust Certificate Authority:

Compatibility

  • Let’s Encrypt Certificate Authority:
  • Comodo Certificate Authority:
  • Symantec Certificate Authority:
  • Digicert Certificate Authority:
  • GeoTrust Certificate Authority:

Features

  • Let’s Encrypt Certificate Authority:
  • Comodo Certificate Authority:
  • Symantec Certificate Authority:
  • Digicert Certificate Authority:
  • GeoTrust Certificate Authority:

Overall

  • Let’s Encrypt Certificate Authority:
  • Comodo Certificate Authority:
  • Symantec Certificate Authority:
  • Digicert Certificate Authority:
  • GeoTrust Certificate Authority:

Choosing the Best Certificate Authority

As mentioned earlier, each Certificate Authority in this comparative review offers secure SSL certificates and choosing one is dependent on your needs.

To aid in your decision-making process, here are some recommendations based on each Certificate Authority’s best features:

  • If you’re on a budget or run a basic site such as a personal WordPress blog, portfolio site or small business site, check out Let’s Encrypt or Comodo.
  • Symantec is the best option if you need DSA, ECC or the highest level of encryption.
  • If you need site scanning for vulnerabilities or malware, take a look at Comodo or Symantec.
  • Comodo, Symantec and GeoTrust all have the highest warranties
  • If you need a fairly high warranty at a reasonable cost for DV, wildcard or SAN certificates, check out Digicert.
  • For unlimited server licenses or free certificate re-issues, consider Digicert or GeoTrust.
  • Comodo, Symantec and Digicert all offer their logos to place on your site to help increase your visitors’ trust.

Overall, you need to decide which kind of certificate fits your specific needs and which features you require. Then, you can choose a Certificate Authority that includes everything you need at a price that fits into your budget.

Jenni McKinnon
Were you able to choose a Certificate Authority based on these reviews? Are you having troubles deciding on one? Have you chosen an SSL certificate from a different Certificate Authority and which one? Feel free to share your experience in the comments below.

43 Responses

    • Staff

      Hallo AvidNetizen

      Having a ssl certificate is a must if you want to be ‘considered worthy’ by google. Customers want to know that your site is safe. In todays market, our info is literally littered across the net and if we don’t have layers of security, it is open season for non ethical hackers or crooks. It can be a costly expense. Using Let’s Encrypt is great. I once read that they are working towards making ssl certificates free like in no more paid certificates at all, but I can’t remember where. Testing different options will allow you to make the best choice.

      Happy testing,

      Michelle

  • Design Lord, Child of Thor

    I have been looking at getting a SSL cert for my multisite network that will extend coverage to my clients. I am more confused than ever as to what is the best option. I have a subdomain multisite network with domain mapping. Is this even possible with domain mapping? How does it work?

    Research leads me to believe that there are various options such as a wildcard SSL will work for subdomains, but does that include mapped domains?

  • New Recruit

    I’m surprised the review of certificate authorities didn’t include a discussion or review of their certificate policy or certificate practices statement. If you want people to trust your site based upon the certificate you choose, then you need to know how they maintain trust to create those certificates.

    Some of these CAs take better precautions than others. I know that reading a CPS is dull and dry, but it could make the difference of getting a client or not, as you mentioned with government agencies.

    Do your research to know what you’re buying. A certificate is just a digital file that represents trust. The CPS shows whether you should trust the file or not.

    • Staff

      Hey William.

      Good point. Researching before making a choice is always the right thing to do. I think things to consider are the reviews for one. Then checking out what they are all about. You have to know what you are implementing. Read the ‘fine print’ even if it is boring as hell. Look at what is provided and how they encrypt things by assessing their features offered.

      Michelle

  • Design Lord, Child of Thor

    One SSL certificate on one IP address is an outdated restriction as nowadays SNI is commonly supported by webhosting technologies. But, more importantly, I am missing StartSSL (StartCom) CA in the list! Although currently, they have some (probably technical) problems with their root CA which has led to distrust announcement from major browser manufacturers.

  • New Recruit

    Let’s see… The list here recommends some rogues, to be polite. Last year Comodo attempted to trademark free and open-source Let’s Encrypt . That attempt failed, but puts them squarely in the sketchy biz column (never mind their crap Chrome-knockoff browser ). In Dec 2015 Google yanked its trust from Symantec after the CA suddenly announced it was sunsetting its Class 3 Public Primary CA certificates and told its customers to get new ones (not the first time they’ve mis-issued certs). Fortunately the author calls out GeoTrust on its own bizarre track record, and doesn’t bother with StartSSL which is untrusted by Google thanks to its hook-up with sloppy and universally untrusted WoSign.
    I don’t understand why the author has any problem with Digicert who, along with Let’s Encrypt, has managed to keep their private keys private and their business clean for well over a decade. IMO the choices are Let’s Encrypt for DV, and Digicert for anything else. YMMV.

    • Staff

      Hallo Josh.

      In this article, we were doing a product review. So it means that we use the product on a live or local test environment to see how the product does and if it delivers what it promise. Namecheap is a domain and hosting provider. It would totally defeat the purpose and remove the focus from the product usability. It would also be impossible to test this on every single domain provider out there.

      Hope this explain our method of writing articles.

      Michelle

  • New Recruit

    If I read this article before start research this should help me safe more time that I was spend last week.
    After compared the price, I choose SAN to my domain mapping over Wildcard one. The main reason after talking with provider’s support was SAN give you an option to add more domain after the first certificate issue. This why it called as re-issue for free.
    It’s not too complicate things to understand SSL working, but it’s take much more time that I thought.

  • Ken
    New Recruit

    It’s a good list but doesn’t include anyone that has what I need. That being a personal certificate of level 2 or better. Some of the stuff I do is going to require one in the near future and unfortunately, I’m not DoD or any of the other ‘alphabet soup’ groups. If you know of one I would appreciate hearing of it.

    • Hey Paul,

      Yes, you’re right, there are rate limits, but outside of that, you can have as many certificates as you want. You could issue certificates at the weekly limit, every week for the rest of your life if you wanted so it is unlimited in that way. I couldn’t dig into it here because of the nature of this post, but I did write a whole post on Let’s Encrypt before where I mentioned all this in detail. That’s the reasoning behind what I wrote above, anyway.

      Cheers,

      Jenni

  • New Recruit

    Hi All,

    This will be a rather lengthy post so bear with me.

    As a Web Security SE, I find great joy in knowing the WP community is taking a hard look at security even at the most basic level. Many of the WP sites are not merely blogs anymore but rather complex e-commerce sites. But with that said, this post is mis-representing information to a great degree. I do wish the author and publishing team do its due diligence before making it public as your audience views you as the authority in your topic/s.

    When it comes to SSL/TLS certificates, it is considered a Trust Service product which does only 2 thing. It Encrypts information in transit, and Authenticates the business/entity requesting it.

    I usually break down the 2 aspects when helping clients to select the certificate type.

    Trust
    -Domain Validation, most basic form that validates you have the right to use a specific domain name via email. Very fast issuance
    -Business Validation, authenticates the domain plus pubic records such as YP or D&B database. A phone call is required.
    -Extended Validation, most trusted cert that turns the URL bar green. This authenticates the business from a legal perspective. Phone verification is required through the switchboard to the HR department for employment verification. Only then will the final verification call come to you.

    Technical
    Stand alone-secures a single URL such as http://www.abc.com.
    UC/SAN-secures multiple top level domain names. abc.com and xyz.com can be in one certificate if you can provide ownership of both domains.
    Wildcard-secures unlimited sub domains under the same domain name. *.abc.com, thus payment.abc.com/vpn.abc.com/secure.abc.com/login.abc.com can be secured on 1 certificate.

    If you have a dev site or basic site with few logins, get a Domain Validation (DV) cert. If you are a place of business, go for the Organizational Validated (OV) cert. Then if you are an e-commerce site or wants to show a premium image, go for the Extended Validation (EV) cert. After you pick out your cert type, we can then look at how many URLs you need to secure with the cert. that will determine whether you need a standalone, UC or Wildcard cert.

    Now as for the key sizes and exchange protocols. The most common form in todays standard is a RSA-2048 bit key length. RSA/ECC are considered asymmetric keys used only during the validation and key exchange phases, or the Hello phase when a browser and server talks. Once the server answers back, the browser then sends a 128/256 bit encryption symmetric key to communicate during the session. The size of the key is determined when signing the CSR (certificate signing request) as it is the public key CA’s use to provide your certificate. In today’s modern computing/browsing power, all certs will follow the minimum of RSA-2048 bit key length, and the 128/256 bit exchange will be determined by your browser. so unless you have a computer that is 15 years old and very dated browser version, you will be fine. ECC on the other hand, is not actually more secure than other protocols. But it does provide a shorter key size for the same level of encryption, thus prolonging server life. With that said, there are certain browsers that don’t support ECC 100% yet. Think of it as if you owed a Tesla and lived 50 miles away from the closest charging station. Great “new” technology, but the infrastructure is not 100% yet.

    As for the different CA’s you mentioned, lets just say that not all are created equal. When it comes to certificates, you have to consider many aspects including the root ubiquity and browser compatibility. Just a little history session. In the dawn of the internet age, VeriSign, now Symantec, was the pioneer in the CA business. Thus its roots are embedded into all devices dating back to the beginning of the internet age. This is the reason why VeriSign is the premium brand, very pricy, yet it secures most of your largest financial institutions, e-commerce, government sites. Because no matter which way you turn, you can trust that the VeriSign cert will work. Then a few years down the road, other smaller CA’s started to pop up since it is a good business model to generate recurring revenue. So you get the other companies like Comodo, Digicert, GoDaddy, Trustwave, Network Solutions. And during that time, VeriSign knew it needed to stay competitive in the low cost market sector, so it acquired Thawte, (very popular CA based out of South Africa for the European region) and then GeoTrust/Rapid SSL (2nd most trust CA industry wide). And on 8/9/10, Symantec acquired the VeriSign Trust Services division which includes the entire portfolio of GeoTrust, Rapid SSL, Thawte.

    That is the reason why you see a Symantec cert on a GeoTrust site. SYM owns GEO. From a pricing and feature perspective, GeoTrust has everything the other brands has. Although you can only issue up to 24 SANs on a UC cert, as a platinum partner, I can issue up to 99. It will have the unlimited re-issue and unlimited server licensing feature. On the other hand, to be compliant with Symantec, you will need to pay for additional licensing fees. It is just part of the requirement if you want your site to show it has been authenticated by the most premium brand.

    I hope this has been informative. If you have any other questions, feel free to contact me at .

    Cheers

Comments are closed.