Why SSL Certificates Matter: Choosing the Right CA for Secure Websites

1. Introduction

Nowadays a website without HTTPS looks unprofessional, especially when using JWT for authentication; the API must be protected by HTTPS to add a security layer. This article discusses the key SSL certificate, also known as a CA certificate.

2. What is an SSL certificate?

SSL (Secure Socket Layer) certificates create a secure channel between the browser and the WEB server, encrypting and hiding transmitted data, ensuring integrity, and have become a mainstream standard for internet security. Since SSL is supported by all major browsers and server software, we only need to install a trusted certificate.

3. Why obtain a certificate from a CA?

Self‑signed certificates are not registered with recognized authorities, so browsers do not trust them, making phishing attacks possible. Although self‑signed certificates can encrypt data, they lack trust, so a certificate issued by a reputable CA is required.

4. Why are certificates expensive?

CA certificates have historically been sold at high prices, ranging from a few hundred to tens of thousands of yuan per year. The actual cost of issuing a certificate is near zero; the price covers annual audits (e.g., WebTrust), fees to browser vendors, insurance premiums, and extensive manual validation. New CAs must wait years to gain trust and often pay established CAs for inclusion in root stores.

5. Are there free certificates?

High costs deter many small sites, but Let’s Encrypt offers free, open, automated certificates for any domain, now supporting wildcard certificates with a 90‑day validity period.

Let’s Encrypt is akin to Gmail’s free email service, making SSL widely accessible. Most low‑level CA certificates are now free and can be obtained from major cloud providers. Without Let’s Encrypt, users would still be at the mercy of paid CAs.

6. Types of CA certificates

Certificates are classified by validation method and domain coverage.

Validation methods

DV (Domain Validation) – mostly free, verifies domain ownership, suitable for small static sites or blogs; issuance takes minutes.

OV (Organization Validation) – verifies domain ownership and business identity, typically issued within 1–5 business days.

EV (Extended Validation) – requires domain ownership, business identity, and additional checks (e.g., D‑U‑N‑S), with phone verification; issued in 2–7 business days, priced from a few hundred to several thousand yuan, suitable for e‑commerce or enterprise sites.

Domain coverage

Single‑domain certificate – valid only for the specific domain (e.g., www.felord.cn) and not its subdomains.

Wildcard certificate – protects a domain and all its first‑level subdomains without limit on the number of subdomains.

Multi‑domain certificate – protects multiple domains simultaneously, with no restriction on domain types.

SSL certificates bind to domain names, not server IP addresses.

7. Conclusion

This article introduced SSL certificates and how to choose the right one. It is recommended to configure the certificate on an Nginx reverse proxy rather than directly in containers like Tomcat, for easier development and better security. Follow Code Nerd Fat Guy for more technical insights.