What Is SSL Certificate & How Does It Work
What is an SSL certificate?
SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are standard security protocols that are used to establish secure communication between a server and a browser. Implementing an SSL certificate ensures that all the data passed between a client (browser) and a web server remains private and its integrity has not been compromised. This is especially important when a website collects sensitive personal information such as passwords, credit card numbers, phone numbers, emails etc. Nowadays, most websites requesting personal information have an SSL certificate, on modern browsers it usually shows up as a closed lock icon and the address will begin with HTTPS instead of HTTP.
How Does an SSL certificate work?
In order to understand the works behind SSL certificates, we need to first explain what type of encryption is used to secure the data being passed between two channels. SSL protocol uses both symmetric and asymmetric encryption. In symmetric encryption there is only one key which is used to encrypt and decrypt data. In asymmetric encryption a pair of keys is generated, one is called a private key and the other is public. Data encrypted with a public key can only be decrypted with a private key and vice versa. The public key can be freely shared with anyone and it is already embedded in the SSL certificate, while the private key must be kept secure and well, private. The math used in asymmetric encryption to generate the key pair makes it impossible for anyone to derive a private key from a public key.
To explain in simple terms, when you go to visit a secure website this is what happens:
Your browser sends a request to the server of a secure website.
The server sends a response with the SSL certificate.
The browser checks if the certificate is valid and encrypts a string of numbers (known as pre-master secret) with the server’s public key and forwards it to the server.
The server receives the encrypted pre-master secret and decrypts it using its private key.
The browser and server generate the master secret encryption key.
Secure communication has been established. The browser and server exchange messages back and forth using the encryption key.
Steps 1 to 5 are referred to as an SSL handshake, during that process an asymmetric encryption is being used. After the secure session has been established, symmetric encryption is performed for all communication between a browser and a server.
A question that is often asked is what stops someone from generating their own SSL certificate? The answer is they could, but in that case your browser would give off a warning that a certificate should not be trusted. Certificates are issues by what are called Certificate Authorities (CA), most modern browsers already come preloaded with a list of CA that they trust. This list is called Trusted Root Certificate Store, in order to get on this list, a CA has to be audited and comply by established security and authentication standards. Upon issuing a certificate, Certificate Authorities sign it with their own private key which can be verified by using their public key.
Why install an SSL certificate?
Installing an SSL certificate offers a number of advantages from security to SEO. Let’s take a look at all of them individually.
As already mentioned the main purpose of SSL is to provide a secure channel between a client and the server by encrypting any data passing through. This is crucial for websites that collect sensitive information such as credit card details, social security numbers, login credentials and some also include email addresses in this category. Most of the websites that deal with that sort of personal information are either e-commerce businesses or government authorities. However, any website that sells a service or a product needs to have an SSL certificate. For example if you have a blog about web design and you sell your tutorials or web design elements through your own website. The internet is essentially numerous computers interconnected with each other and data travels from one source to the next before reaching its targeted destination. If the data is not encrypted it can potentially be intercepted or tampered with by attackers. Encrypting information ensures that only the intended parties would be able to read it since only they have the keys to decrypt it. So even if the information ends up falling into the wrong hands attackers won’t be able to interpret it.
Nowadays more and more people are educated on internet security, even if it’s just the most basic of things. An SSL certificate will assure customers that their purchase will be secure. More often than not, lacking an SSL certificate is enough to turn a customer away.
How do you know that the website you visit does in fact belong to whom it says it does? That’s where the SSL certificate comes into play. The server of the website sends your browser its SSL certificate as if saying “I am indeed who I say I am and this domain belongs to me”, your browser validates the certificate and if everything checks out proceeds to do the SSL handshake and open a session.
This is extremely important, as it helps prevent the man-in-the-middle attack and makes sure sensitive personal information travels to its intended recipient.
There are different types of SSL certificates which differ in verification depth and trust level.
Domain validation (DV). The most basic type of a certificate issued and the least verified. The CA registers the domain under the entity who requests the certificate. In other words, verifies that the domain belongs to the person who requested the certificate.
Organization validation (OV). CA verifies that the organization is a legal entity and the person who requests the certificate has the authority to act on behalf of the organization. To put simply, CA checks if the organization does in fact exist. This type of a certificate will contain the company’s name and address by default.
Extended validation (EV). This certificate provides the highest level of trust. Only legal employees who have the authority to sign both the subscriber agreement and the certificate request can apply for EV certificate, those are usually CEOs, VPs, Officers etc. The company has to have legally existed for more than 3 years prior to the request. As well as the above, a CA will verify the company’s phone number, business address and the requester. Just like with OV certificate, information about the certificate holder will be embedded into the certificate. This is the only certificate that will provide a green bar with the company’s name next to the domain address.
Search Engine Ranking
In 2014 Google rolled out a new ranking algorithm that prioritizes HTTPS websites. A year later, they stated that when choosing between two similar websites, but one has an SSL certificate and the other doesn’t, they would rank the secure website higher. Google has been promoting websites to implement SSL certificates. Not to mention, when people see websites in their search results they are more likely to click on the secure website seeing it as more trustworthy over a non-secure website. Consequently, improving website’s traffic.
How to Get an SSL certificate?
If you’ve decided that you need an SSL certificate after all, I’ll shortly cover what you’ll need and guide you in the right direction to obtain one.
Here’s a list of things you’ll need before getting a certificate:
Dedicated IP address. Because of how SSL works, you need to have a unique IP address to your server. This is important, since if your website is hosted on a shared web server you won’t be able to acquire an SSL certificate.
Certificate Signing Request (CSR). You will need to generate a CSR on your web server before ordering the certificate. CA use information contained in the CSR (domain name, public key, organization name etc) to create the certificate.
Domain Validation Rights (DVR). The CA will validate your DVR by checking if the information is correct on your WHOIS record. Typically, for the most basic domain validation process you will need to have an admin email access for the listed email. The higher the validation level of the certificate, the more information a CA will verify. If you wish to obtain an EV or OV certificate be prepared to submit legal papers to establish ownership of the website.
Choose a Certificate Authority
There is wide variety of Certificate Authorities to choose from. Of course, the most important thing is for you to be comfortable with the features the CA has to offer and their pricing. However, these are the factors you need to take into consideration:
Root Certificate Program.
The CA has to be a member of the Root Certificate Program. This will ensure that your certificate will be trusted by most modern browsers and other software. Majority of CA will be members of the root programs and will guarantee to be trusted by almost all the browsers, however it will never hurt to check. Both Apple and Microsoft for example have a list of trusted CA.
Make sure that a CA offers the certificate type that you want. Here is a quick rundown of different types:
Single Domain. Pretty self-explanatory, this is a certificate issued only to a single domain e.g. example.com. Keep in mind that it does not include www.example.com.
Wildcard. Issued for a domain and all of its subdomains, e.g www.example.com, shop.example.com etc.
Multiple Domain. Issued to multiple domains as well as subdomain. E.g example.com, www.example.com and example.org.
Another type of a categorization you will encounter is the different levels of validation that were covered above (DV, OV, EV).
It’s a competitive market out there for Certificate Authorities, so to stand out they offer additional features, for example an easier automatic installation process. Weigh in your options carefully before making a purchase.
Mari Koval is a content writer at WebHostingGeeks.com. She has written for various online publications and blogs. With an equal passion for both technology and educating people, she strives to produce content that is informative yet easy to understand.