A Secure Socket Layer (SSL) certificate, also known as a public key certificate, is a cryptographic file installed on your web server that helps establish secure, encrypted online communication. SSL certificates serve two major purposes:
When a visitor's browser connects to your website via SSL, the exchange of information is encrypted and becomes undecipherable to cybercriminals who try to eavesdrop.
An SSL certificate acquired from a renowned certificate authority provides authentication and trust. This means your visitors can be sure they have reached the correct website and feel secure about any personal information being shared.
When a visitor attempts to connect to your website over the internet, both communicating parties—client and server—validate one another's identity through a series of steps before establishing a connection and sharing information. This process is called an SSL handshake. It is also during this process that a session key is generated, which provides symmetric encryption of the particular session after both parties have successfully authenticated one another.
Listed below is the sequence of steps that take place in the background during an SSL handshake:
The client sends the server a request to establish a connection, including a list of its compatible cipher suites and SSL/TLS versions.
The server receives the request, checks the cipher suites and SSL versions, and chooses a mutually compatible cipher suite and SSL version from the list. The server also sends its certificate along with the public key.
The client receives the certificate, extracts the public key, and creates a new key called the "pre-master key" and sends it to the server.
The server decrypts the pre-master key using its private key.
Both the server and client now use the pre-master key and compute a shared secret called the session key (symmetrical encryption key).
The client sends a test message that’s encrypted with the session key to the server.
The server receives the message, decrypts it using the session key, and sends an acknowledgement that’s also encrypted using the session key back to the client, requesting to initiate the session.
The session begins, and both the client and server use the session key to encrypt their communication during the rest of the session.
An SSL certificate allows users to trust your website and the information provided within the page. They let users know that the website is end-to-end encrypted and any personal information will be securely maintained. Additionally, SSL Certificates protect data during transit and prevents middle men from tampering and eavesdropping over the website.
SSL certificates are usually signed and issued by trusted third-party entities called certificate authorities (CAs) before browsers will trust the legitimacy of your website. Once you've installed an SSL certificate on your web server, your website will leverage the HTTPS protocol to secure all communication with its visitors. Read on to find out how you can set up SSL on your website and the benefits an HTTPS-activated site can have on your brand image.
To begin, you should research what type of certificate will fit your web application. Here are some important criteria you'll have to consider:
Level of trust: Commercial CAs offer three types of certificates, each involving a different level of vetting of your organization:
This type of certificate secures and encrypts a particular domain name by validating the legitimacy of the domain owner.
This type of certificate is generated after trusted CAs vet the organization requesting the certificate, so it provides a greater level of brand credibility for end users than a domain-validated certificate does.
This type of certificate provides the highest level of security, and involves rigorous vetting of the organization requesting the certificate. The vetting is done as per the rules laid down by the CA/Browser Forum. Having an EV SSL on your website activates the address bar and displays your organization’s name in the browser's omnibox. EV certificates are generally used by major online retailers and banks as well as organizations that intend to build immediate trust with their end users.
Number of domains: Depending on the number of domains you want to secure with an SSL certificate, you can categorize certificates into the following three types:
These certificates allow users to secure a fully qualified domain name over a single certificate. For instance, a single domain certificate for the domain name www.yourdomain.com will secure all the webpages on www.yourdomain.com/. This type of certificate is ideal for small and medium-sized businesses managing a limited number of webpages on their site.
Multi-domain certificates, also referred to as SAN certificates, utilize Subject Alternative Names (SANs) to secure up to 100 distinct domain names, subdomains, or public IPs over a single certificate. Another notable advantage of these certificates is that they don't require dedicated IP addresses for the host names and can be installed on a single IP address.
These certificates can secure an unlimited number of subdomains of a top-level domain (TLD), and are a great option for organizations that manage multiple pages on the same domain. While this type of certificate is highly effective for cost-cutting and easy management, one big disadvantage is that revoking the certificate on one subdomain will revoke it on all other subdomains as well.
Apart from these two major criteria, you should also take issuance speed, pricing, customer support, and other factors into consideration when choosing an SSL certificate for your organization’s website.
Once you've chosen the right type of certificate for your web application, you have to raise a certificate request to a third-party CA and deploy the certificate on your corresponding web server. This is done by generating and sending a Certificate Signing Request (CSR) to the CA; once the CA validates your domain, it issues the certificate.
On the other hand, you can also set up an in-house CA within your network, such as the Microsoft Certificate Authority, and request and deploy certificates to servers within your network. However, this method is best suited for internal web applications and not for public-facing websites, as commercial browsers don't trust self-signed certificates.
Generating a CSR is the first step to requesting an SSL certificate from a third-party CA. Usually generated on the same server in which the certificate is installed, the CSR is a cryptographic file that contains details about your organization and domain name, as well as a public key. CSRs are usually signed with your private key.
After you have submitted the CSR to a third-party CA, the CA will start validating your domain. The validation process depends on the type of certificate you've requested and the issuing body. For instance, if you've requested a DV SSL, the validation process is pretty simple; the CA might verify your organization’s email or check the web registrar's information. On the other hand, the validation procedure for OV and EV SSLs is more rigorous and involves a background check of your organization's identity.
Once the validation process is complete, the CA issues the certificate that you then install on your end-servers. The installation process is different for different server types. After successful installation, restart the server for the certificate to take effect.
You should also scan your SSL certificates post-deployment to ensure there aren't any configuration vulnerabilities and the trust provided by them is intact.
The whole process of setting up SSL—right from CSR generation to deployment on endpoint servers—can be done manually. However, as the number of certificates grow, it becomes daunting for IT administrators to streamline the process and keep it error-free. Security professionals highly recommend enterprises adopt a centralized approach for managing the certificate life cycle to prevent the risk of unexpected expiration and privilege misuse.
SSL, without a doubt, forms the sole foundation of website security. That said, there are also quite a few other benefits your organization can reap from setting up SSL on its websites.
Google announced HTTPS as a ranking signal back in 2014 and since then, sites with HTTPS protection have enjoyed a boost in search engine ranking over HTTP sites.
Since HTTPS sites are positioned high in search engine results, they’re likely to produce better conversion rates than sites secured with HTTP.
As an indication of security, search engines display the padlock icon ( ) in their browser omnibox for HTTPS sites, which helps visitors know they’re on a trustworthy site.
Apart from marking HTTPS sites as having better security, search engines also throw security warnings for HTTP sites, which can greatly bring down a brand's credibility.
So, what are you waiting for? Make the switch to HTTPS if you haven't already and centralize the management of the SSL certificate life cycle right away.
SSL is the older version of encryption protocol that securely manages access to websites and protects data during transit. However, Transport Layer Security (TLS) takes a more graded approach to website security. The client-server handshake occurs with more built-in and automated processes, making it faster and more reliable than SSL. Organizations have been moving from SSL to TLS authentication protocols giving a clear picture of the need for significant advancements in managing online interactions and sharing of critical information.
When SSL certificates expire, they pose a threat for sensitive information available within a webpage. The encrypted tunnel is no longer available for secure client-server interactions and this makes way for potential exploitations to take place. This takes a toll on the security and reputation of the organization and the critical information that resides within.
Deploying a certificate management tool allows for customers to be promptly notified about certificate expiry, thereby allowing room for timely renewal. ManageEngine Key Manager Plus is an end-to-end certificate management solution that helps you manage certificates and actions revolving around them.
Considering the security of the user to be a major requisite while accessing websites, it is important to identify if the website is SSL certified. The website URL that contains a padlock symbol lets the user know that the website is a legitimate one and allows for secure interaction. Websites without this indication may lack proper security measures for managing user and client interactions.
Achieving security over online sessions is a continuous process. Certificates play a major role in determining the security of websites accessed by users. They are the keys to a website's authenticity, and the lack of valid certificates can bring about serious impact on security. Coupling certificate management with secure password management routines facilitates effective communication between server and client and ensures that your online sessions are safely managed.