Does it matter which Certificate Authority I source my SSL Certificate from?

I guess it really depends on the nature of your users.

99.9% of users will simply see that the browser doesn't give them any errors when they visit your site (assuming you bought the cert from a company that has their CA cert in your browser's cert store).

This does however point to a bigger problem with the PKI infrastructure as currently deployed:

Any known CA can create a certificate for any other site, and browsers will accept that certificate, even if the legitimate owner of the site already has a certificate from another CA.

While this is good in some ways, in that a site operator can change CA vendors if he chooses to, it also means that a compromised CA can be used to generate certs for arbitrary sites. This issue was raised when CNNIC's CA cert was added to Mozilla (and others) CA lists.

There seems to be an innate distrust of China (possibly related to "the great firewall"), but in truth, this does mean that any user in China, when trying to use an encrypted connection to a "subversive" site, should be checking that the certificate presented was NOT signed by the CNNIC CA cert.

There is a handy Firefox extension (Certificate Patrol) that monitors the certificates presented by various sites, and warns you if the certificate changes for any reason.


Yes, it totally matters. You only can trust the transactions as much as you trust the certificate authority. For example, if you have a DoD-signed certificate, that's pretty trustworthy. If you have a certificate signed by Chungwa Telecom, then maybe not so much. Take a look at your browsers default CA certs sometime and think about how much you trust those parties.

I recommend taking a look at this paper for a full explanation of how malicious CAs can really wreak havoc on perceived trust: Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL


actually, where you get certificate matters a lot. Remember any one can create certificate and sign including hackers. so each browser has list of verified companies in order to compact forging certificates. so you should get your certificate from international recognized company like verisign and etc.