← Back to blog

April 23, 2015

Easy EV Certificates from SSLMate

Update: as of 2020, SSLMate no longer offers EV certificates since web browsers no longer display EV certificates differently. The domain validated certificates offered by SSLMate are both as secure as EV certificates and far more convenient to obtain.

SSLMate is happy to announce the availability of extended validation (EV) certificates, one of the new features in the recently-released SSLMate 1.0.0.

First, let's set the record straight on a common misconception: EV certificates do not add any additional security to the SSL connection, or make the encryption any stronger. The security of the connection is determined by the strength of your SSL server configuration, which is completely independent of the type of certificate you have. (We recommend you configure your server using sslmate mkconfig, which generates a secure configuration.)

What sets EV certificates apart from normal DV (Domain Validated) certificates is the rigor of the validation process and how much information they certify. DV certificates certify only that the bearer of the certificate controls the domain in question. EV certificates also certify the legal identity of the certificate bearer. When visiting a website with an EV certificate, web browsers display the verified legal name in the address bar:

In the example above, visitors to github.com are given assurance not only that they are visiting github.com, but also that they are visiting the website of GitHub, Inc., a U.S. company. This is beneficial given the many different TLDs and possible permutations of domain names. For instance, anyone can register a similar sounding domain name, such as git-hub.com or github.company, and obtain DV certificates for them, but only GitHub, Inc. can get an EV certificate with their name in it.

Another, emerging advantage of EV certificates is that, when combined with the recent HTTP Public Key Pinning (HPKP) standard, they can protect your site against certificate misissuance. Because of the more rigorous validation process of EV certificates, as well as Google's new requirement that EV certificates be submitted to several certificate transparency logs, an EV certificate for your domain is unlikely to be misissued to an unauthorized party, and if it is, it will be detected by the certificate transparency system. Historically, the more rigorous validation process had little value in protecting your site, since an attacker could always use a misissued DV certificate, and visitors would be very unlikely to notice. Now, you can use HPKP to pin your site to a certificate authority certificate that only signs EV certificates, making it difficult for an attacker to use a misissued DV certificate. Expect to hear more from SSLMate in the coming months about HPKP (and certificate transparency) for both EV and DV certificates. Edited on 2017-02-25: Unfortunately, HPKP proved too difficult to use in practice.

There are some tradeoffs with EV certificates. Because the certificate authority has to verify the legal identity of the applicant, every EV certificate has to be processed by a human, which means EV certificates are both more expensive and take longer to issue - up to several days, unlike a DV certificate, which can be issued in under a minute. For these reasons, SSLMate recommends DV certificates to the typical website operator. If you're not sure what kind of certificate you need, go with a DV certificate. But if you do need an EV certificate, SSLMate is your place to get it. SSLMate is the only place where you can get an EV certificate from the command line using a simple command, and then automate its renewal so you never forget about it.

Getting an EV certificate

First, if you haven't done so already, you must log into your account page, check the box that says "I want to purchase EV certificates," and fill out additional information about your company. Then, to purchase an EV certificate, simply pass the --ev option to the sslmate buy command. Since EV certificates take several days to approve, sslmate buy returns immediately with a temporary, self-signed certificate. This certificate won't be trusted by browsers, but you can use it to get your web server configuration up and running while you wait for your real certificate to be issued. See the EV documentation for details.

SSLMate 1.0.0

This is third in a series of posts about the new features found in the recently-released SSLMate 1.0.0. Previously, we unveiled fully automated provisioning using DNS approval. To upgrade to SSLMate 1.0.0, head over to our install page or our GitHub repository. If you've installed through APT or Yum, upgrading is as simple as running apt-get update && apt-get upgrade or yum update.

SSLMate makes SSL certificates easy through great software and friendly support. That's why customers say it's a joy to get SSL certificates from SSLMate. Learn more or signup.

Get Started with SSLMate Today

Click to sign up