S
SSL Certificate Expiry

Buying an SSL Certificate: What to Know

What to know before buying an SSL certificate: when to buy vs use free, which type you need, where to buy, and how to avoid overpaying.

You can get a valid SSL certificate for free from Let's Encrypt, so why would anyone pay for one? The answer depends on what you need. Free certificates work perfectly for most websites, but there are legitimate reasons to buy a certificate: organization validation, extended validation, dedicated support, warranties, and compatibility with specific enterprise requirements.

The SSL certificate market is also full of unnecessary upsells. Hosting providers and registrars frequently charge $50-200 per year for DV certificates that provide the exact same encryption as a free Let's Encrypt certificate. Knowing what you actually need saves you from overpaying. This guide helps you decide whether to buy, what to buy, and where to buy it. For the free alternative, see Free SSL Certificates Guide.

When Free Certificates Are Enough

For most websites, a free DV (Domain Validation) certificate from Let's Encrypt provides everything you need:

  • Encryption identical to paid certificates (same algorithms, same key lengths).
  • Browser trust in all modern browsers (Let's Encrypt is trusted by 99.9% of browsers).
  • Automatic renewal through ACME protocol integration.
  • Wildcard certificate support.

If your website is a blog, portfolio, small business site, SaaS application, API, or any site where visitors do not need to verify your organization's legal identity, a free DV certificate is the right choice. The encryption does not get "better" because you paid for it.

When You Should Buy a Certificate

Organization Validation (OV)

OV certificates include your organization's verified name in the certificate details. While browsers do not display this information prominently (no green bar or special indicator), the organization name is visible when inspecting the certificate. This matters for:

  • Organizations that need to demonstrate verified identity to partners, auditors, or regulators.
  • Government and educational institutions that require OV or higher as a matter of policy.
  • B2B companies whose clients inspect certificates as part of vendor due diligence.

OV certificates typically cost $50-200 per year.

Extended Validation (EV)

EV certificates involve the most thorough verification process. The CA verifies your legal entity, operational existence, physical address, and the authority of the person requesting the certificate. EV certificates once triggered a green address bar with the company name in browsers, but most modern browsers have removed this visual distinction.

EV certificates are relevant for:

  • Financial institutions and payment processors that want the highest level of verified identity.
  • Organizations where compliance frameworks specifically require EV.
  • Situations where the certificate details may be inspected by regulators.

EV certificates typically cost $100-500 per year.

Dedicated Support

Free CAs like Let's Encrypt do not offer individual support. If you have a certificate issue, you rely on community forums and documentation. Paid CAs offer dedicated support teams that can help with issuance problems, installation, troubleshooting, and emergency reissuance.

For organizations with limited technical staff or critical uptime requirements, paid support can be worth the cost.

Warranties

Paid SSL certificates typically include a warranty (sometimes called a "relying party warranty") that covers financial losses if the CA issues a certificate incorrectly and a user suffers a loss as a result. Warranty amounts range from $10,000 for basic DV certificates to $1.75 million for EV certificates.

In practice, these warranties are rarely claimed and have strict conditions. They are a marketing feature more than a practical benefit for most buyers. But for organizations that need to demonstrate insurance or warranty coverage to partners, they serve a purpose.

Compatibility Requirements

Some legacy systems, older IoT devices, or enterprise environments may not support Let's Encrypt certificates or may require certificates from specific CAs. If you operate in an environment with specific CA requirements, buying from the required CA is the only option.

Do not pay for DV certificates

If you only need domain validation, use Let's Encrypt. The encryption is identical, the browser trust is the same, and the cost is zero. Hosting providers that charge $50-100 for a DV certificate are selling you something you can get for free.

What Type of Certificate to Buy

Single Domain

Covers one domain name (e.g., example.com). Most single-domain certificates also cover the www subdomain as a Subject Alternative Name (SAN) at no extra cost.

Best for: Simple websites with one domain.

Wildcard

Covers a domain and all its first-level subdomains (e.g., *.example.com). Does not cover the bare domain unless also listed, and does not cover multi-level subdomains (*.sub.example.com).

Best for: Websites with multiple subdomains on the same server. See Wildcard SSL Certificates.

Multi-Domain (SAN)

Covers multiple distinct domain names on a single certificate (e.g., example.com, example.org, another-domain.com). The number of domains varies by provider, typically 3-100 SANs.

Best for: Organizations that manage multiple brands or domains. See SAN Certificates: Multi-Domain SSL Explained.

Multi-Domain Wildcard

Covers wildcard entries for multiple domains (e.g., *.example.com and *.example.org). The most expensive option.

Best for: Large organizations with many domains and subdomains.

Where to Buy

Directly from CAs

Buying directly from the certificate authority often gives you the best price and the most direct support relationship.

DigiCert: Premium CA known for enterprise features, fast issuance, and strong support. Prices are higher than competitors but the service matches.

Sectigo: Large CA with competitive pricing. Offers DV, OV, and EV certificates at various price points. Good for organizations that need a balance of features and cost.

GlobalSign: European CA popular with enterprise customers. Strong automation capabilities through their ACME and API support.

Through Resellers

Many companies resell SSL certificates at discounted prices. Resellers like Namecheap SSL, SSL.com, and GoGetSSL buy in bulk from CAs and pass on volume discounts. Prices can be 50-80% lower than buying directly.

The certificates themselves are identical regardless of where you buy them. The CA issues the same certificate whether you buy direct or through a reseller. The difference is in support: if you have an issue, you may need to go through the reseller first.

Through Your Hosting Provider

Many hosting providers sell SSL certificates alongside their hosting plans. This is convenient (one vendor for everything) but often expensive. Compare the provider's price with the CA's direct price and reseller prices before buying.

Some hosting providers bundle free DV certificates (via Let's Encrypt or a similar CA) with their hosting plans. If your provider offers this, there is no reason to pay extra for a DV certificate.

The Buying Process

Generate a CSR

Before ordering, you need a Certificate Signing Request (CSR). The CSR is generated on your server and contains your public key and identifying information. Most server control panels (cPanel, Plesk) have CSR generation tools. You can also generate one with OpenSSL:

openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr

Keep the private key file (yourdomain.key) secure. Never share it with anyone, including the CA.

Complete Validation

The CA will verify your identity according to the certificate type:

  • DV: Automated verification (email, DNS record, or HTTP file). Takes minutes.
  • OV: Organization verification through business documents and phone verification. Takes 1-3 days.
  • EV: Comprehensive verification including legal entity checks. Takes 1-2 weeks.

Receive and Install

After validation, the CA issues the certificate (usually as a .crt or .pem file) along with intermediate certificate(s). Install them on your server. See How to Install SSL.

Avoiding Common Mistakes

Do not buy more validation than you need. If your visitors do not need to see your organization name in the certificate, DV is sufficient.

Do not pay for multi-year upfront unless the price is significantly better. Certificate validity is capped at 397 days. Multi-year purchases are actually subscriptions where the CA reissues annually. Check the cancellation terms.

Verify the renewal price. Some providers offer low introductory prices and significantly higher renewal prices. Check the renewal cost before the initial purchase.

Generate a strong private key. Use at least RSA 2048-bit or ECDSA P-256. RSA 4096-bit provides a larger security margin.

Do not forget intermediate certificates. Installing only the end-entity certificate without the intermediate chain causes trust errors in some browsers. Always install the full chain.

Pricing Overview

Prices vary significantly by provider, certificate type, and whether you buy direct or through a reseller:

| Type | Typical Price Range (per year) | |---|---| | DV (single domain) | Free -- $50 | | DV (wildcard) | Free -- $100 | | OV (single domain) | $50 -- $200 | | OV (wildcard) | $150 -- $500 | | EV (single domain) | $100 -- $500 | | Multi-domain (SAN) | $50 -- $300 (varies by SAN count) |

For a detailed pricing analysis, see SSL Certificate Pricing Explained.

References

  1. CA/Browser Forum, "Baseline Requirements," https://cabforum.org/baseline-requirements/
  2. Let's Encrypt, "About," https://letsencrypt.org/about/
  3. DigiCert, "SSL Certificate Comparison," https://www.digicert.com/tls-ssl/compare-certificates
  4. Sectigo, "SSL Certificates," https://sectigo.com/ssl-certificates

Monitor all your SSL certificates in one place

Whether free or paid, your certificates need monitoring. SSL Certificate Expiry tracks expiration dates and alerts you before renewals are due.

Try SSL Certificate Expiry

Related Articles