OVERVIEW – WHAT IS AN SSL CERTIFICATE?
In simplest terms, an SSL certificate is your website’s digital passport or verified ID on the Internet. It’s a piece of digital code that assures visitors – human and machine alike – that your website is really what it says it is, and therefore could be trusted to transact with. This is crucial with any site that needs to transmit sensitive data online, such as passwords, credit card numbers, medical records, and other confidential information. If you’re an online merchant, your ecommerce site should meet the Payment Card Industry (PCI) standards, which involves securing payment transactions over an HTTPS connection using the latest SSL/TLS technology.
The Internet is an open, public network, designed as a whole for the free exchange of information. It is not encrypted because doing so would require enormous amounts of extra processing power and would slow down things significantly – imagine being asked to identify yourself or to sign in each time you try to view any web page or search anything.
Think of it as being able to go whenever you want to in public areas like the park or the streets. However, just like in real life, not everything needs to be easily accessible by everyone. You don’t want just about anyone to read your emails or eavesdrop into your conversations anytime. While inconvenient, verification helps deter privacy intrusions and cyber mischief.
Eventually, as the Internet increasingly became commercial, various groups began implementing ways to secure online transactions. One of this is the Secure Sockets Layer (SSL) –now subsumed by the more robust Transport Layer Security (TLS) – protocol (though the name stuck, and the latter is still popularly referred to as “SSL”).
The SSL/TLS protocol –a protocol is simply an agreed-upon way of doing things—lays out the steps on how to have a secure “line” while exchanging sensitive data over the Internet. On websites, you’d easily know this is happening with at least two visual cues: 1) the green padlock icon, and 2) the ‘https’ prefix on the site’s URL.
Another visual cue comes in the form of trust seals or badges. For example, Namecheap displays a Norton Secured Seal on the lower right corner of its homepage which, when clicked, gives details about its certificate.
A Norton (Symantec) Secured Seal for NameCheap
Symantec is the Certificate Authority (CA) that provided this trust badge for Namecheap and is one of the leading SSL certificate providers (after it bought the Verisign brand).
Certificate Authorities (CAs)
Just like real-world paper certificates, an SSL certificate requires third party verification. Anyone can create certificates, but without an impartial, trusted authority to back up the claim (which a certificate essentially is), it would be of little value.
It’s indeed possible to create and sign your own certificate, but the question is, will the other party recognize and accept your credentials? This is where CAs come in. A CA is like a government office that signs and approves your passport or official ID, or the university official that stamps your diploma.
Modern browsers come preloaded with a list of trusted CAs (called “root” CAs). For example, Chrome has this:
Chrome users can access this dialog by going to chrome://settings/ and choosing Advanced Settings. Under HTTPS/SSL, it shows a “Manage Certificates” button. Mozilla users can go to options and then Advanced > Certificates > View Certificates.
As a website owner, you’d want your users to see these assurances so they’d feel safe visiting and using your site. Aside from enhancing security and trust, adopting SSL/TLS is also good for your site’s SEO, as Google announced last year that it will start looking at HTTPS as a ranking signal.
Now we take a closer look at how SSL certificates help create a secure connection.
HOW DO SSL CERTIFICATES WORK?
An SSL certificate is needed to activate an HTTPS connection. To the human eye it looks like gibberish, but when parsed by a computer, it contains information on who owns the certificate, which domain name it is for, how long the certificate is valid, as well as keys for encrypting the data to be transmitted.
In a previous article, we explained how computers communicate over the Internet as clients and servers. An SSL/TLS connection is just another one of those conversations between computers.
Imagine a user goes to your website and wants to create a member profile. The user’s browser (client) and the computer where your site is hosted (server) start “talking” about how to establish a secure connection. This initial negotiation is technically called a “handshake,” which we’ll dramatize below:
Browser – Hello. My user wants to access this page at this URL and send some personal data. These are the kinds of encryption methods and SSL versions I can use to create a secure connection. Please identify yourself.
Server – Hello. Sure, we can use the latest one from your list, I support that. Here. [Sends over a copy of the site’s SSL certificate and its public key for encrypting data.]
Browser – [Checks SSL certificate against its list of CAs. If it finds it in the list:] Ok, great, your certificate looks genuine and is vouched for by TrustedCA. I will encrypt the data I send using your public key. You should be able to unlock the on your end with your private key. Now here’s our secret code for this session, which I based on your public key. Check if you can decrypt this. [Sends the secret key.]
Server – Ok, I can decrypt it. Try decrypting this message, too. [Sends a test encrypted message to client.]
Client – I can decrypt your message. Great, the line is secure and we understand each other. Let’s continue.
Here’s an infographic version of the SSL/TLS "Handshake":
Icons credit: Freepik, Yannick from www.flaticon.com, Creative Commons BY 3.0
If your certificate checks out fine, both browser and server establish and begin communicating over this mutually set up encrypted channel. In case your certificate isn’t on the browser’s list, is expired, or defective for some other reason, the browser warns your user and asks permission whether to proceed or not. If client and server cannot agree, the session is terminated.
This is obviously an over-simplification, but you get the picture. The securing process depends upon your user’s browser and your site’s server having a secret code that only they have. If you’d like to know more about public key cryptography explained in easy terms, this video likens it to mixing colors:
Ok, you’re convinced you need an SSL certificate for your site. But which one do you get, and how?
WHAT ARE DIFFERENT KINDS OF SSL CERTIFICATES?
There are many kinds of SSL certificates available on the market right now, and the three main kinds are classified according to how rigorously it is vetted by the Certificate Authority:
- Domain Validation (DV) – This is the easiest and fastest to get, and can cost as low as a .COM domain (less than $10). It only checks legitimate ownership of the domain name and can be obtained within hours after an email verification process. This is ideal for personal use or for sites that need just basic validation.
- Organization Validation (OV) – Aside from checking domain ownership, the CA would verify details about the owning organization and whether it exists legally and physically. The process takes a few days. Small and medium-sized businesses would benefit from this kind of validation.
- Extended Validation (EV) – This is the highest level of validation, more rigorous than an OV, and takes several days to get. Also, EVs don’t come cheap—they can cost as much as a thousand dollars per certificate. As such, well-established institutions or large companies often get EVs, which come with a distinctive green bar on the user’s browser as further assurance:
Apart from the lock icon and https URL prefix, sites with Extended Validation (EV) certificates also display a green bar with the organization’s name in the browser address bar.
Some certificates are sold by the number of domains they can be applied to:
- Single domain – can be used for only one domain (no subdomains)
- Wildcard – can be used with different hostnames/subdomains
- Multi-domain, a.k.a. Subject Alternative Name (SAN) or Unified Communications Certificate (UCC) – the same certificate can be used for multiple domains
You’ll also encounter these kinds:
- Code signing certificate – used for guaranteeing software, it’s an assurance that the software package isn’t tampered with while being downloaded
- Self-signed – not signed by a CA and will trigger warnings in the user’s browser; often used for internal or testing/development purposes
- Shared SSL – you piggyback on your host’s SSL certificate; you can’t use your own domain name, though
- Private SSL – often used as the opposite of shared SSL; you purchase your own certificate and provide a dedicated IP address; some CAs use the term to refer to certificates for private intranets
- Free SSL – Some CAs offer certificates for free for a limited time or for certain types of websites (such as <a href=”https://www.godaddy.com/ssl/ssl-open-source.aspx” rel=”nofollow”>GoDaddy’s offer</a> for Open Source projects).
WHERE DO I OBTAIN AN SSL CERTIFICATE?
1) Certificate Authorities
To get commercial, industry-grade SSL certificates, you buy them from a CA. Self-signing your certificates is not a wise option especially if you’re running an online shop, since your visitors will get browser warnings that might scare them off.
SSL certificates are sold like domains names and web hosting products – they are renewable yearly, can be bought for multiple years, come with special add-ons depending on the vendor, and could sometimes be bought with discounts.
There are dozens and dozens of CAs all over the globe, but just to be on the safe side, get one from a top, established CA. Reliable CAs undergo independent audit to ensure that their verification process could be relied upon. Remember, it’s all about who’s the most trustworthy to vouch for your site.
The top 5 CAs by market share as of May 2015 are:
- Symantec (includes Verisign, Thawte, Geotrust)
Incidentally, these top CAs are also providers of root certificates which are listed by default in the Trusted Root CA store of browsers (as shown earlier) and operating systems. Root CAs are the highest-level entity on the trust chain, and can sign for themselves and for intermediate CAs or resellers. For example, GeoTrust signs its own certificates while its subsidiary RapidSSL (intermediate CA) needs its parent CA’s signature:
A 2013 study by Baymard Institute revealed that commerce sites with the Symantec Norton SSL Seal are perceived to be most trustworthy by shoppers. Comodo has overtaken Symantec’s lead though, and this perception of who to trust the most might change as well.
However, the problem with the top-brand CA certificates is that they tend to be very expensive, costing a few hundreds of dollars for even the basic level of validation. Make sure to comparison-shop before making a purchase.
2) Your Web Host/Domain Registrar
Instead of directly buying from a CA, you could buy your SSL certificate from your web host or registrar. As mentioned at the start of this article, many resell SSL certificates and sometimes bundle it with their other services. It’s more convenient this way, and you may even score a good deal.
Things to Look For
Don’t just focus on pricing, though. The offers and prices extremely vary, so it helps to list down your reasons for buying an SSL certificate so you don’t get confused. Compare this to what the CAs or resellers are offering. Also look at:
- Encryption strength
- The root CA
- Ease of installation
- Compatibility with your server
- Money-back guarantee
- Customer Support
WHAT DO I NEED TO INSTALL AN SSL CERTIFICATE FOR MY SITE?
This of course depends on which kind of certificate you’d like to get. But at the very least, to complete the domain-level validation, you should have:
- Ownership or legal authority over the domain – The CA will verify the WHOIS records so make sure it’s correct
- Access to the compatible hosting server – For creating the Certificate Signing Request and installing the SSL certificate; either you create it by yourself or ask your web host to do it for you. Also check if your CA supports the server software (often listed on the help pages).
Then you create a Certificate Signing Request (CSR) from your server. Basically, you ask your web host server to generate a boilerplate text file with encoded information about your domain name,organization, and your public key. You submit this coded file that looks like the one below to your CA/vendor when you activate your SSL certificate.
After you make a request for a certificate, the CA will send you instructions on how to validate your domain and what documents you will send. Follow the instructions carefully. Once you’re done with authorization steps, you will get confirmation and a download link for your certificate.
Next, you (or your web host) will install the certificate file on your site’s server. How you install the certificate will vary according to how your web server is configured—instructions are different for Apache, Windows, IBM, etc. Closely follow the set of instructions that your issuing CA or web host provides.
We’ve covered a lot of ground today – we hope you’re now more familiar with what SSL certificates are, how they work, where to get them, and how you can set them up confidently on your own. However, if you encounter issues, don’t hesitate to ask your web host or CA for assistance, they’d often be glad to help.