What Is a CA Certificate?
The server encryption/identification key is called a Certification Authority (CA) certificate. It identifies the server to the user's browser client and encrypts the session. As with any other encryption key, it protects you only as long as you keep it secure.
These critical questions should be asked about a certificate:
Does it belong to the vendor it claims to identify?
Is it controlled by a legitimate agent of the vendor identified by it?
Two basic types of server-side certificates exist. A "trusted" CA certificate is supplied directly or indirectly by a well-known provider, such as Verisign or Thawte. The other kind can be generated by anybody.
The user versions of trusted major vendor certificates are installed in web browsers by default, so when a user opens a SSL connection with a site, the user will not see a prompt come up saying, "This certificate is from an unknown authority. Do you want to accept/install it?" This often frightens customers away.
So how do you know whether you need CAs? You need to determine what your site will be used for:
Will your e-commerce site handle credit cards? Will it collect credit card user information instead of sending the user to a third-party service provider? If the answer to both questions is yes, you probably need SSL and a CA certificate from a trusted provider. Verisign and Thawte are the best-known trusted providers; GeoTrust is a lesser-known trusted provider whose certificates are recognized by the great majority of modern browsers.
If you merely need secure communication via browser for your employees or a customer/vendor base that considers you trustworthy, you need SSL, but you can save money by generating your own CA certificate. (You can find out how at http://www.onlamp.com/pub/a/onlamp/2003/02/06/linuxhacks.html, or you can get one from an organization such as CAcert.org.)
Most providers resell certificates from a CA certificate provider. Packaged installation and maintenance are usually available for a yearly fee.
I do not recommend 40-bit SSL certificates; use 128-bit SSL certificates instead. The terms 40-bit and 128-bit refer to key sizeslonger is better.
A low-end certificate might cost $39 per year (StarterSSL from http://www.freessl.com). GeoTrust recommends that this certificate be used on sites that do fewer than 50 transactions a week and have typical transactions of less than $50.
An enterprise-level certificate with capabilities such as securing multiple subdomains and with bundled e-commerce services might cost several hundred or even thousands of dollars a year, depending on the provider and the specific content of the package.
What you probably need will fall between these two extremes. This is an area where it pays to shop around. I recommend reading the More Information links that provide details on any CA certificate product that you are considering; carefully match what is presented against what you believe you actually need. Look especially hard at what browsers/versions a provider says its browser-side certificates are installed on and the estimate of what percentage of browsers will recognize the certificates.
To install your own certificate, you'll need access to the web server SSL configuration functions. If you don't have access (check your hosting provider's online docs), find out whether your provider will install this for you and how much it will cost.
DIY CA certificate installation varies with the OS type, server, and server configuration. Your vendor can give you details.
These tips should give you a good start toward choosing a website that will meet your security needs, setting up file permissions to give the public exactly what it needs to make the services you intend to provide available, evaluating whether you need to secure your site with SSL, and determining only for the kind of CA certificate you really need.