During the last several years, there has been a dramatic increase in the number of certificates used within organizations. This trend is largely tied to the fact that so many applications and management tools have become web-enabled. Typically, each web application and each browser-based management tool requires a certificate for communications to be encrypted and secure. Similarly, certificates are often used to secure back-end communications between services and are commonly used to encrypt communications with cloud services.
But with more certificates comes more cost, including the cost of acquiring and periodically renewing certificates. Organizations may be able to avoid (or reduce) these costs by using self-signed certificates or certificates that have been issued by an internal enterprise certificate authority for some workloads. The problem is certificate authority trust--or lack thereof. These types of certificates may not be trusted by clients and are not appropriate for use with internet-facing workloads. Additionally, services such as Active Directory Federation Services (when deployed from within Azure AD Connect) actively prevent these types of certificates from being used.
Organizations therefore are commonly forced to purchase certificates from commercial certificate authorities. Of course, the commercial certificate authorities know this and charge a hefty fee for certificates, which typically have to be renewed each year (although some providers offer multiyear certificates).
Organizations do have another option: Discount providers sell certificates at a rate that is far lower than that of the large, well-known certificate authorities. For example, I recently purchased a wildcard certificate from a discount provider for about $70. In contrast, the more mainstream certificate authorities generally charge between $500 and $750 per year for a similar certificate.
This, of course, raises the question of whether these discount providers are trustworthy. Are low-cost certificates flawed in some way? Or is the whole thing some sort of scam?
Unfortunately, it is impossible to make a blanket statement as to the legitimacy of low cost certificate providers. While there are some providers that are indeed legitimate, there are almost certainly some charlatans out there who are making fraudulent offers for discount certificates.
So, how can you tell whether a discount certificate authority is legitimate? Although there is no universal legitimacy test, there are several things that you can look for.
First, check to see whether the certificate provider’s website has been validated. For example, using the Edge browser, a validated website will display the company’s name in green, just to the left of the address bar. Google Chrome also displays the company name to the left of the site’s URL. Validation alone does not confirm that a site is legitimate, but it does indicate that the site is using a trusted certificate and that the certificate authority that issues the certificate has verified the site’s identity. Any reputable certificate authority should have a validated website. If a certificate authority cannot even validate its own website, then what does that say about the trustworthiness of the certificates that it is selling?
You can also perform a web search in which you cross reference the name of the website with words such as "fraud," "scam" and "legitimate." The results cannot be considered 100% conclusive (there are a lot of trolls out there who make false claims), but they can provide a sense of whether the provider is on the up and up.
One of the most critical steps in determining whether discount certificate providers are legitimate is to find out where they get their certificates. There are two reasons why this is so important.
First, operating systems are provisioned by their manufacturer with CA certificates. These CA certificates allow the operating system to trust certificates that have been issued by the corresponding certificate authority. Windows, for instance, trusts certificates issued by VeriSign, Thawte and numerous other certificate authorities. The flip side to this is that if an operating system does not have a built-in CA certificate for a particular certificate authority, then that certificate authority is not natively trusted by the operating system. You can configure the operating system to trust that certificate authority, but that trust will be local to your machine. Other people who are using the same operating system will continue to view the provider as untrusted.
If you want to determine whether a particular provider is trusted by Microsoft Windows, enter the MMC command and then load the Certificates snap-in. Next, go to Certificates | Trusted Root Certificates | Certificates. You can browse the list of certificates to find out if the provider is trusted. Keep in mind that the operating system needs to trust the certificate authority that created the certificate, not the reseller.
The other reason why it is important to find out where the provider is getting its certificates is that you may be able to use that information to establish the provider’s legitimacy. If, for instance, the reseller claims to get its certificates from Comodo, then you may be able to find out who Comodo’s authorized resellers are.
The good news is that you can’t automatically assume that a provider is fraudulent just because it offers certificates at a price that is too good to be true. After all, the certificate that I purchased recently was discounted by 90%, but was completely legitimate.