book cover

Bulletproof TLS Guide  

Comprehensive and yet concise guide to practical SSL/TLS and PKI configuration. Includes coverage of TLS server configuration and web application security. Written by Ivan Ristić.

1.1.3 Choose the Right Certification Authority

For a small site that needs only a simple domain-validated certificate, virtually any CA will suffice. You can do what I do—just buy the cheapest certificate you can find. Or, if you can automate certificate renewal, just get your certificates for free from Let’s Encrypt and other similar providers. After all, any public CA can issue a certificate for your web site without asking you; what’s the point of paying more if you don’t have to? If you have complex requirements, you may want to explore the commercial options, at which point you should take your time and select a CA that meets your requirements.

Features

At a minimum, you will want to work with a CA that supports both RSA and ECDSA certificate keys. If you care about revocation, your chosen CA must support OCSP certificate revocation checking backed by robust network availability and performance.

We now finally have end user standards for automated certificate issuance (Automatic Certificate Management Environment, or ACME for short), and you should use them wherever possible. For this, you'll need a CA that supports automation.

Focus and expertise

PKI is a field that requires deep expertise and dedication; it’s easy to make a big mistake. If you’re going to be relying on a CA for a critical function, you may as well choose an organization that’s serious about it. This is not quite easy to quantify, but you should examine the CA’s history, staff, and business direction. It’s best to work with CAs for which certificate issuance is the core part of their business.

Service

At the end of the day, it’s all about the service. The certificate business is getting more complicated by the day. If you don’t have experts on your staff, perhaps you should work with a CA on which you can rely. Costs matter, but so do the management interfaces and the quality of the support. Determine what level of support you will require from your CA, and choose an organization that will be able to provide it when you need it.

You should be aware that if you're getting your certificates from only one CA, they are your single point of failure. If your deployments are sufficiently important to justify the additional effort, consider getting your certificates from two different CAs at the same time. With overlapping certificate lifetimes, you will always have a backup certificate to use if the primary fails for whatever reason.

< Prev
^ Table of Contents
Next >