In the early days of the World Wide Web, all website requests and responses were transferred in “plain text.” This made them potentially viewable by digital eavesdroppers, which made it risky to transmit things like passwords, credit card numbers, and other sensitive and personal information.
In the mid-’90s, in order to enable ecommerce and support the web transfer of confidential information, Netscape developed a cryptographic protocol for web content delivery and connection authentication called SSL (Secure Sockets Layer), which later evolved into another protocol called TLS (Transport Layer Security).
While both protocols differ in terms of core algorithms, security, and the ports they support, they both function in generally the same way—by using a digital technology called an SSL certificate.
What is a Secure Sockets Layer (SSL) certificate?
An SSL certificate (sometimes called an “SSL/TLS certificate” or simply a “cert”) is a digital certificate that authenticates the identity of a website and enables an encrypted connection between a website and a browser. In other words, an SSL certificate supporting a TLS connection guarantees (a) the identity of the remote connection, and (b) that no one can read or modify the content shared over the secure connection except the sender and recipient. An SSL certificate acts both like a passport to verify the identity of the site owner who needs to support SSL, and like a key to support strong encryption.
SSL certificates are issued by organizations called certificate authorities, or CAs. A CA is a trusted organization that guarantees the identity of a website. They are trusted because they are few in number, well-known, and must clear high barriers to entry. There are just over 100 certificate authorities worldwide, and they are audited to be included as a trusted root by the vendors of web browsers and operating systems. Before issuing a certificate, the CA verifies the certificate requester’s information, like site ownership, name, location, and more, according to established industry standards. The CA also digitally signs the certificate with their own private key, enabling clients to verify it. For providing this service, most CAs charge a small annual fee (although free SSL certs are available from some web hosts and nonprofit CAs).
The actual SSL certificate is a small digital file, typically a few kilobytes, that is installed on the server supporting TLS and shared with others. This file contains:
- The domain name of the site for which the cert was issued
- The organization to which it was issued (the certificate holder)
- The name of the issuing CA
- The CA’s digital signature
- Any associated subdomains
- The certificate issue date and expiration date
- The public key (note: The private key is not shared)
Whenever you use a browser to connect to a URL beginning with “https,” or see the little padlock in the browser address bar, you know that you have a secure TLS connection verified by an SSL certificate issued by a CA. While this means connection to the site is secure, it does not necessarily mean that the site content is safe to use! Just because you can connect securely to a site doesn’t mean it’s not controlled by nefarious actors. If you click on the padlock your browser will display additional information about the certificate, the domain owner, and the connection.
How does an SSL certificate work?
A SSL certificate works by ensuring that any data transferred between a browser and a website remains impossible for a third party to read. It uses encryption algorithms to scramble data in transit, which prevents digital eavesdroppers from reading it as it travels over the connection. Secure communication over TLS relies on two certificates—one public, and one private—to create the secure connection.
When a browser attempts to connect to a website secured with TLS, that communication is established by a “handshake,” or back-and-forth communication that only takes a few milliseconds. The steps in this handshake are:
- The client (browser) connects to the SSL-secured website (server).
- The client asks the server to identify itself.
- The server sends over a copy of its SSL certificate.
- The client examines the SSL certificate for trustworthiness and signals to the server if it passes.
- The server initiates a digitally signed agreement to start an SSL-encrypted session.
- Encrypted data now flows freely and safely between the browser and the server.
The initial handshake happens using asymmetric encryption, based on public and private keys. After validation, the client and server exchange temporary private keys, used only for the session. This allows for more efficient encryption and decryption.
Types of SSL certificates
There are three types of SSL certificates that offer increasing levels of identity verification:
- Domain Validated (DV) Certificate: free to tens of dollars per year. A DV certificate involves only a minimal, automated identity verification, establishing only that the owner has control over the domain or subdomain. This is usually accomplished by email. A DV certificate is the least expensive way to obtain a cert, and most free certificates are of this type. However, it represents the lowest standard of security. DV certs are useful for blogs, individual websites, small businesses, or any site with the most basic security needs.
- Organization Validated (OV) Certificate: tens to hundreds of dollars per year. An OV certificate offers a stronger guarantee of the identity of the bearer. In order to obtain an OV certificate, the purchaser must pass nine validation checks. This is a mid-level business certificate, and the issuing CA guarantees that the organization affiliated with the certificate is valid and in good standing. This is a good approach for businesses not conducting financial or ecommerce transactions through their site.
- Extended Validated (EV) Certificate: hundreds of dollars per year and more, depending on verification. An EV certificate represents the highest level of identity verification, most suitable for corporations, financial entities, and ecommerce sites. Sixteen validation checks are involved, including both legal identity and physical location. The end user sees a green browser bar, indicating the highest level of verification, as well as additional corporate information behind the padlock.
A standard SSL certificate secures a single domain name. Many organizations wish to secure multiple subdomains on the same certificate (e.g., mail.example.com, shop.example.com), reducing costs and simplifying administration. This can be accomplished using a wildcard SSL certificate, which secures the primary domain and multiple “subject alternative names” (SANs, representing the subdomains). SANs can also be added which support multiple domains; this is called a multiple domain certificate.
How to get an SSL certificate
Setting up your web infrastructure for SSL/TLS is a process involving multiple steps. Your specific needs and approach may vary, but the process below provides a general overview in nine steps.
- Determine the level of security required. DV, OV, or EV. Review your organizational needs and budget and choose the level of identity verification appropriate.
- Determine the domains and subdomains to be supported. If you only have one, you may not need to obtain a wildcard certificate.
- Choose a certificate authority/provider. For lower-end needs, you may just need to work with your web hosting provider and obtain a free cert. Multi-domain and EV certs will involve a paid relationship with a certificate authority. Shop around.
- Request the certificate from the chosen provider. This generally involves filling out web forms and making payments.
- Verify domain ownership and other criteria. The CA will follow up to verify the information you submitted in your application, at a minimum requiring email verification of domain ownership.
- Obtain and install the certificate. This depends greatly on the CA you choose and your web platform. Generally, you will download a ZIP file containing three keys: the public key, the private key, and a certificate authority bundle. If you are working with a commercial web host, the administration console for your site will usually include tools for certificate installation. If you are working on your own hardware, closer to the operating system and web server, then follow the documentation for that environment.
- Configure other apps to use the certificate. If you intend to support SSL connections to other applications on your servers (e.g., WordPress, email, etc.), then you will need to configure them to use your certificate and the TLS protocol.
- Confirm your secure connection is working. Connect to your website and/or other apps and ensure that you have a secure connection. Click on the padlock and review the information displayed in your browser.
- Submit your site(s) to search engines. Your new “https” sites are distinct from your old “http” sites. If your users rely on search engines to find you, you will need to re-submit your new https URLs to those engines for indexing.