Why is SSL Certificate Browser Compatibility so Important?
SSL Certificates will only be recognized by a browser if the Root Certificate of the CA is present within the “trusted Root Certificates” store of the browser. CA Root Certificates are added into the trusted Root Certificate store by the browser or operating system vendor, such as Microsoft or Netscape. In general SSL vendors need to be audited to WebTrust complaint standards set by the AICPA.
If you use an SSL Certificate that has been issued by a CA Root Certificate not present in the trusted Root Certificate store in one of the commercially available browsers then the visitor’s browser will display a warning message. Clearly you need to avoid such warnings. Ensure you avoid such warnings by selecting a cost effective SSL Provider with the highest browser acceptance level across all browsers.
What browser ubiquity do I need?
Anything less than 99% browser ubiquity will cause issues with some customers – customers who may otherwise purchase from your site: REMEMBER CUSTOMERS = $$!
High Assurance providers such as Comodo, VeriSign, Thawte and Entrust all provide 99% browser ubiquity and are included in the base install of Windows 98SE, ME, 2000 and XP.
IPSCA provides only 96% browser ubiquity and are not compatible with Netscape. IPSCA is not included in the base install of Windows 98SE and will require such customers to upgrade to avoid Security Warnings
Should I opt for an SSL Provider who is compatible with older browser versions?
Although you can examine your web logs to determine the browsers used by your customers it is unlikely you will need to cover very old browsers. All browsers are free and therefore updating browsers is simple for consumers.
This would represent a dangerously low browser ubiquity
Some SSL Providers use one or more ‘intermediate certificates’ – does this make any difference to me?
Sometimes the CA will use ‘intermediate certificates’ to issue your SSL Certificate – essentially a certificate issued by the Trusted Root CA specifically designed to issue SSL Certificates to end entities. An intermediate certificate is effectively a subordinate Certificate issued by the CA Root Certificate, thereby creating a chain of trust which may be traced back to the trusted CA Root Certificate. Using intermediate certificates do not cause installation, performance or compatibility issues.
It is good security practice for SSL Providers to issue Certificates using an Intermediate Certificate. Creating Certificates directly from the CA Root Certificate increases the possibility of CA Root Certificate compromise, and if the CA Root Certificate is compromised, the entire trust infrastructure built by the SSL Provider will fail.
Can I expect webserver compatibility issues from different SSL Providers?
An SSL Certificate is an industry standard product. All Certificates follow the X.509 standard, therefore any SSL version 3 enabled webserver software will be able to utilize an SSL Certificate from any provider.
Both Verisign and Comodo use Intermediate Certificates to issue SSL Certificates. Click here to find out why the use of Intermediate Certificates (sometimes referred to as “Certificate Chaining” is a non-issue.)
What about previous versions of the SSL Protocol?
SSL version 3 is the de facto SSL implementation. SSL version 1 and version 2 have been superseded by version 3 for a number of years, mainly due to the inherent security flaws found in these old versions. All web browsers developed after Internet Explorer 3 and Netscape 3 use SSL version 3 (however still support older SSL protocol versions). If your webserver is only capable of supporting versions 1 and 2 of the SSL protocol we strongly recommend you contact your webserver software vendor for an update – these protocols are flawed.