1

I've googled this and haven't really been able to find a straight answer and this question which I have read is a bit different and is a bit outdated considering the landscape has changed a lot recently.

What I want to know, is if you aren't planning to get a OV or EV certificate and just need the plain DV type certificate then we have offerings of varying types, such as:

  • Free Certificates from places such as Let's Encrypt
  • Many hosts are giving away free certificates now with their hosting (not always by Let's Encrypt)
  • AutoSSL from cPanel (Free)
  • $198 Standard SSL certs from DigiCert
  • $59 Standard Certs from RapidSSL

I could go on, but you get the point. Is there any technical difference between these certificates? From what I have read certificates from LE only last 3 months so you will have to renew them quite often - is that about it?

If there is no real difference then why not go with the free ones provided by cPanel? Why would one spend $198/year when they can get it for free?

The only other non-technical difference I can think of is that if you pay for one then you get the included insurance.

Are browsers more likely to have the ones you pay for in their CA trust store and free ones should be avoided because of this?

So I think I understand the non-technical differences, but am looking for an answer on if paying for one is going to be technically or a more "safer" option?

Brett
  • 279
  • 2
  • 7
  • You may want to look into how revocation is handled, and also how the private key is handled. It looks like the AutoSSL option generates the private key on someone else's system. Generally as long as the certificate validates in the common browsers (FF, chrome, OE, edge, safari, etc.) You're fine. – Daisetsu Oct 22 '18 at 20:46
  • Also make sure you're using TLS. SSL is not recommended anymore. – Daisetsu Oct 22 '18 at 20:47
  • There's a good QA on Server Fault specifically about Let's Encrypt vs paid certificates: [Is there a reason to use an SSL certificate other than Let's Encrypt's free SSL?](https://serverfault.com/questions/926974/is-there-a-reason-to-use-an-ssl-certificate-other-than-lets-encrypts-free-ssl) – Josh Townzen Oct 23 '18 at 02:19

1 Answers1

-1

"If there is no real difference then why not go with the free ones provided by cPanel?"

Use this interface to install an SSL certificate on a domain, subdomain, or addon domain. Before you can use this feature, you must create or purchase a certificate, and you must possess the certificate's key.

Directly from cPanel's website it looks like you MUST either purchase a cert, or you can use one cPanel provides, but that MAY be a self-signed certificate. Without seeing what is offered by cPanel, I have no way of guaranteeing what cPanel is offering is a CA signed certificate.

If you choose the free certificate from cPanel, it will tell you if it is of the self-signed variety:

When you install a certificate, this interface indicates whether your certificate is self-signed. Self-signed certificates are easy targets for attackers and generate security warnings in your users’ web browsers. Only install a self-signed certificate temporarily, until you can replace the certificate with a certificate from a valid certificate authority (CA).

You can actually look at the certificate you are provided and determine if it is "technically" the same as another.

If you want to decode a cert on your computer use the following:

openssl x509 -in certificate.crt -text -noout

If you don't mind providing your certificate to a website to be "read" (this is the same thing that happens when the cert is read while in use):

https://www.sslshopper.com/certificate-decoder.html

Usually you select a modulus value (2048 or 4096, anything less is weak), the PKI encryption type (ECC or RSA, either is safe for common use), symmetric encryption type (AES 128 is safe for common use) and any hashes (SHA-256 is common, I prefer SHA-384 because more bits). If you compare two RSA 2048, AES-128, SHA-256 certs they are technically the same regardless of how much they cost.

In March of 2020 most browsers will no longer accept SSL (any version), TLS 1.0, or TLS 1.1. If you have the option, ensure that you are using a TLS 1.2 certificate, at minimum.

Everett
  • 1,516
  • 1
  • 12
  • 20
  • 1
    From what I have seen the AutoSSL certificates cPanel provide are not of the "self-signed" variety, have even seen a few sites using them without noticing any warnings. – Brett Oct 22 '18 at 21:13
  • I accept that, but, all it takes is one place to use a self-signed cert. I'm sure MOST will use a public CA. I *think* my answer including a way to identify if a cert is self signed protects against that one time that it is. Does that work? – Everett Oct 22 '18 at 21:15
  • Any explanation with the -1 to give it some validity? – Everett Oct 23 '18 at 14:35