- LetsEncrypt Certificate (highly recommended)
LetsEncrypt is a non-profit service that offers free SSL certificates for web servers and uses an automated validation and renewal system. For validation, the owner, LetsEncrypt employs a don't call us, we'll call you approach similar to two-factor authentication. LetsEncrypt sends the owner of the domain a secret key. After that LetsEncrypt calls the domain the certificate is requested for and asks for the secret key. LetsEncrypt offers various ways in which it can call the requesting server back. This callback is mandatory, LetsEncrypt can only work for servers that can be reached by LetsEncrypt. The domain must be accessible via the public internet.
- Company CA
An alternative to a trusted "public" CA, particularly for larger organizations, is running a private Company CA. In companies with a private Company CA, the company CA's root certificate is configured as a trusted root on all of the company's devices. This enables the company to issue and sign their own certificates which are trusted by all company devices. As for Cloud hosting solutions, a private Company CA can only be used if the server is set up within the company network.
- Self Signed Certificates (not recommended)
As every certificate must be signed by someone, this only leaves the owner himself to sign his own certificate, creating a self-signed certificate. At this moment the creator of the self-signed certificate is not trusted. For a self-signed certificate, there is no chain of trust above the certificate itself - the owner is its own certification authority. For a client to trust the certificate, it must be explicitly told that the certificate is trustworthy by adding the certificate as a trusted root CA. Generally, self-signed certificates should never be used outside of development scenarios.