How do your SSL certificates work?

There are four ways for you to have an encrypted (HTTPS) site while using Lime Daley hosting services.

  1. Self-signed certificate 
  2. Shared certificate
  3. Standard certificate
  4. Let's Encrypt certificate

All methods provide the same amount of security and encryption.  The trade-offs are price versus convenience for your site's visitors.

A self-signed certificate will popup a warning when visiting your site for the first time, confirming that the visitor wants to install the certificate into their browser.  Self-signed certificates are best used for sites that are used primarily by groups of individuals that don't change that often, e.g. employees using an intranet site.  A self-signed certificate is free.

A standard certificate is a certificate that is purchased from any vendor that sells SSL certificates (Lime Daley can purchase it for you, so you don't need to deal with the technical aspects of generating and installing the certificate).  These certificates are the most typical on current web sites.  You can pay anywhere from $30 to $400 per year for these certificates, depending on what level of authentication you wish to purchase.

A shared certificate is a certificate issued to Lime Daley, but also has up to three other domains included with it.  A typical visitor will not be able to distinguish between a standard certificate and a shared certificate, but a technical user who examines the certificate will see it is issued to Lime Daley and to your company.  This certificate costs $20 per year.

A Let's Encrypt certificate is a relatively new method, but we've been testing it for the last 9 months, and have started to roll that out to eventually replace all of the other certificates.  They don't support wildcards, so we'll need to continue using those certificates.  The advantages of these certificates are that they are free, auto-renewable, and not shared, so there aren't shared private keys if (when) there are SSL bugs that affect multiple servers.  The only disadvantage is that it is one centralized system that presumably will become a target by hackers.  We're not SSL experts, but it appears that since they don't have the private key, there aren't any serious security implications, unless they were able to replace the client-side code, which goes through validation, so seems unlikely.  If you are more comfortable with the more expensive certificates, that is fine with us.