Do I have to pay for a Secure Certificate?

No, but you may want to still buy a secure certificate even if there are free ones available.

The ability to offer free secure certficates has been established as a fact for cPanel servers. And I just turned it on for my clients – for  use on their static or wordpress websites. These cPanel-generated certificates do show the correct browser security of most users and are backed by GlobalSign. Now that the browsers are starting to note who doesn't have a secure certificate no matter the url and with google moving to eventually penalize sites for not being secure, something did have to change. The cpanel issued certs have been underway for some time now. The Let's Encrypt movement developed parallel to cPanel's AutoInstall SSL but is no longer the only option available to hosting companies.

  • The free certificates provided by either cPanel or Let's Encrypt automatically renew on expiration which is now 90 days. Personally, I don't have a clue why these even expire – they were just for 30 days before. I'm sure there's all sorts of techical info that I'm missing with this but the certificates expire in 90 days. On cPanel servers, they automatically renew. If using Let's Encrypt on another type of server, the automation must be set up to work; it's not the default.
  • They carry no guarantees like the paid ones do. Something goes wrong (what? I dunno but I gather something can), the website owner is liable.
  • No domain or business verification. Any domain or sub domain created on the server may have one. Anybody can get one. No matter who they are  – even if they no longer have control of the domain name – ie, no longer own it and it hasn't been repointed. 

So cPanel is using Comodo signed certificates. Good certificates. The informaton below is the same for either Comodo or GlobalSign with one detail difference. I've used GlobalSign exclusively for years now – their basic certs allow the site to use an easy seal verification as show below.

So purchasing the cPanel certs does not come with the seal verification. They can be cheaper (and yes, on my server they are) but for a little more per year, you can get a GlobalSign cert with the seal verification. (It's a great selling tool!) 

Paid certificates come in three main types:

Domain validated (DV) requires the domain be verified by email. If you control that email address, you can verify the domain. These low level certificates are what most websites use. The certificates can be issued in minutes. GlobalSign's DV cert also provide website verification – a clickable seal that the visitor can view the information. Here's a sample of what pops up if you have a GlobalSign certificate:

Organization Level certificates (OV) go one step further in validating the website/domain owner, thus taking a day or two before they are issued. The browser looks the same at first glance and in the certificate details. I don't know what information is requested for this cert.

Extended Level certificates (EV) are subject to even more vetting. According to the GlobalSign website: "Rights to use domain and extended company vetting including confirming the legal, operational and physical existence."

The visual difference is seen in the browser bar.

The pricing can be very different – GlobalSign's comparision table is quite clear:

Those prices are not what you have to pay for your secure certificate as each hosting company can choose the price point for their certificates. cPanel/WHM owners now can allow their customers to purchase the certificates from cPanel at a much lower price. This facility means the hosting company no longer has to be involved in the transaction and can still make a bit of money off the purchase. If the customer does not feel comfortable with this approach, the hosting company would still be glad (for a bit more money) to take care of this for the customer.



Author: Delia Wilson Lunsford, Founder & CEO, WizTech, Inc.