6 Common questions about Corporate SSL Certificate Management, answered

At Webnames Corporate, we help large businesses and corporations manage their domain portfolios, and secure their brands online with an array of services ranging from domain names, business email, SSL Certificates, DNS Hosting and more.

Over the years, we have built a platform that helps simplify and automate processes that consume the time of IT system administrators. In this article we shortlist and answer 6 frequently asked questions about SSL / TLS certificate management at large businesses:

  1. What is the difference between Extended Validation (EV) and Organization Validation (OV) for SSL/TLS certificates?
    The purpose of SSL Certificates is two-fold: to encrypt the data exchanged between a user and a web address or website, and to validate that the source of the data sent or received by a website really is who they claim to be. The difference between Domain Validation (DV), Organization Validation (OV) and Extended Validation (EV) springs from the latter purpose of SSL/TLS certificates. As the name suggests, domain validation merely ensures that the person requesting an SSL from a certificate authority (such as Digicert) also has control of the DNS of the domain name for which the SSL is being issued.

    To issue OV certificates, also known as business-validated certificates, Certificate Authorities require businesses to submit business documents or information that is used to verify the credentials of the business and ownership of the domain name. For EV certificates, the validation process requires even more information and rigorous checks that may include a phone call with a publicly listed contact number for the business. OV and EV certificates allow for the display of enhanced site seals or the company name beside the lock icon on the address bar, which can help improve the perceived credibility of a website with visitors. The exact nature of the documentation required and validation steps for OV and EV varies from one certificate authority to another, for example Digicert EV SSL require 9 validation steps before certificate issuance.

  2. What is a UCC SSL Certificate?
    A Unified Communications Certificate is a type of SSL / TLS Certificate that can be used across multiple hostnames (domain names and/or subdomains), with one single certificate. A UCC certificate uses Subject Alternate Names (SANs) to designate the different hostnames that are protected, SANs may be optionally included with the certificate and additional SANs can often be purchased.

    UCC certificates offer great value for businesses and IT teams that manage several websites across many different servers, because they simplify certificate management, renewal and administration and are also highly cost-effective. UCC certificates offered by Webnames support SSL protection for up to 250 domains. UCC certificates can be found under the multi-domain filter on our SSL Finder.

  3. How to install the same SSL/TLS Certificate on multiple different servers?
    If a website is hosted in the cloud or uses a multi-server architecture with load balancing, you will need to install a single SSL certificate across each of the different servers that host its content. To accomplish this, you could simply issue a certificate with a CSR and install it on the first device, re-issue it with another CSR and install it on the second server and so on.

    A pitfall of this approach is it can be difficult to track the various installed instances of the SSL should it need to be revoked. The more elegant approach is to use the Clone SSL feature (available with the Webnames Advanced SSL management toolkit) which streamlines re-issuance and allows for granular management of each instance of the SSL. This allows IT admins to manage, report and re-issue SSL certificates and unlocks other features such as certificate tagging and revocation.

  4. What are CAA records in DNS zone files, how are they useful for reducing SSL Certificate risk?
    CAA (Certification Authority Authorization) Records are a type of DNS record that are used to specify the certificate authorities that are permitted to issue SSL / TLS certificates for a domain name. Webmasters and IT admins can use CAA records to set policy for different types of SSL certificates such as selecting a separate CA for wildcard certificates and a different one for subdomains. CAA records can also be used to set up notifications for alerts if an attempt is made to issue a certificate at an unauthorized CA.

    CAA records can be a powerful safeguard against phishing and online fraud. With the increasing popularity of free SSL certificates and the rise in phishing and online fraud campaigns, sophisticated fraudsters have been observed using SSL certificates on websites that impersonate the legitimate business they are spoofing. If a CAA record is configured across all domain names including those used for brand protection purposes, it can serve as protection that flags phishing pages as ‘not secure’ on the browser. A pro-tip here is to use Multi-domain Premium DNS which allows you to configure CAA and SPF record templates for use across all the domains in your corporate domain portfolio.

  5. What do shorter SSL certificate lifetimes mean for corporate SSL management?
    Since September 2020, web browsers such as Google Chrome, Mozilla Firefox and Safari have implemented a policy that they will only trust SSL certificates that were issued no more than 398 days prior to the date of the visit to the website in question. Prior to this, SSL certificates could be issued for several years at a time, which simplified operations for businesses and IT teams that managed hundreds of websites and SSL certificates.

    With this change last September, it is still possible to purchase an SSL for several years, but the certificate often requires reinstallation every year. Thankfully, SSL reissuance and reinstallation has increasingly become easier and automated. Contact your Webnames Corporate account manager for assistance on SSL lifecycle management and to learn how to streamline your SSL administration.

  6. Can I apply tags and filters to SSL Certificates for easier SSL/TLS certificate management?
    Corporations and businesses with hundreds of domain names often rely on geographically distributed IT system administrators who need to be able to coordinate, report and manage their domains, SSL, emails and more in a streamlined manner. Webnames Corporate Advanced SSL Admin tools enable you to tag SSL certificates across your organization and use them in conjunction with the parent-child account functionality in our Advanced Management toolkit, so that different user roles, and individuals can view and manage the products they are responsible for.

    The SSL toolkit, which is billed annually at a parent-account level is a highly cost-effective way to unlock powerful features including SSL Certificate Cloning, SSL Instance Management and SSL Tagging for renewal & lifecycle management, server or hostname-based grouping and SSL Certificate revocation.

Our account managers and support experts are seasoned at helping companies manage complicated portfolios of SSLs and domains and with our powerful admin tools, installation assistance services and competitive prices, you simply cannot go wrong! Explore our Advanced SSL Admin tools, compare our domain management programs to competition and when you are ready, get started with Webnames Corporate.