: What are duplicate SSL certificates? I read about these in one of the answers at Why is godaddy HTTPS/SSL certification so much cheaper than digicert, thawte, and verisign? i've tried googling

@Heady270

The security certificate states that certificate issuer verified the identity of the website operator. A certificate should only be issued when the identity has been verified and control over the domain name can be demonstrated.

A certificate authority may have different levels of entity verification such as:


Personal verification for an individual -- check government documents such as drivers license or passport
Corporate verification -- check corporation documents
Extended verification -- check the physical presence of the company


Different verification levels may be presented to users differently when viewing the website. For example, extended verification shows a green bar with the company name in many web browsers.

To issue a certificate for a domain, they then check that the entity has exclusive control over the domain using methods such as:


Registration information matches
Website copyright information matches
Can respond to emails at import domain email addresses


Certificate authorities compete based on:


Reputation of certificate authority
How thorough their validation is (more thorough is better for users, less thorough is easier for website operators to get a certificate and cheaper to implement).
Browser support (are their signing certificates pre-installed in all major web browsers)
Ease of use
Types of certificates offered (wildcard, alternate name)
Cost


The price of digital certificates has dropped in the last few years because discount authorities such as GoDaddy and StartSSL have started competing aggressively on cost. Older certificate authorities with historically good reputation still charge higher prices for use of that reputation.

Most users will never check who issued the certificate. As long as the browser recognizes the certificate 99.9% of users are happy.

Vote Up Vote Down

@Angie530

Well, remember that a certificate certifies something: The CA signs that "somebody came to me with the public part of a private/public key pair, and I have verified that this person controls (domain), so it is safe to use that private/public key pair for encrypted communication with (domain)".

For various reasons, you can have multiple servers handling (domain), though.

Now you either have the same private/public key pair for each of those, or you don't. If you have the same key pair, then if one of your servers is, for example, physically stolen, you need to change that key on all your servers. (Also, you need to transport the private key from one server to the others in the first place. Since the private key needs to be secret and well-protected, this can be difficult.)

On the other hand, if you have a distinct key pair for each server, you just need to revoke the one certificate for your stolen server and life goes on.
But this requires that your CA will certify multiple valid key pairs for the same domain, and that's a duplicate SSL certificate. (And you might agree that "I want the user to trust that this, too, is (domain)" could make you suspicious. If the CA revokes any previous certificates for the domain, at least the connections to the first server will break quite visibly.)

Vote Up Vote Down