One of the most important components of an online business is creating a trusted environment where potential customers feel confident, comfortable placing orders.
SSL certificates create a foundation for trust by establishing a secure connection. To ensure that website visitors have a secure connection, the browser provides an indication that you will see a small lock icon or blue bar.
An SSL certificate consists of a key pair: a public key and a private key. These keys work together to establish an encrypted connection. The certificate also includes what is called an “object”, which is what identifies the website owner.
To create a certificate, you must create a Certificate Signing Request (CSR) on your server. This process generates a private and public key on your server.
The CSR data file that you send to the issuer of the SSL Certificate (also known as the CA – Certificate Authority) includes the public key. The SSL certificate issuer uses the CSR data to create a data structure that matches the private key without compromising itself. The SSL certificate issuer never sees the private key.
Once you get the SSL certificate, you install it on your server. You also install an intermediate certificate that establishes the trustworthiness of the SSL certificate by tying it to the CA’s root certificate. The instructions for installing and verifying the certificate vary depending on the server you use.
In the figure below you can see the so-called certificate chain. It connects your server certificate to the SSL certificate provider’s root certificate via an intermediate certificate.
One of the most important parts of an SSL certificate is digitally signed by a trusted CA, like DigiCert. Anyone can create a certificate, but browsers only trust certificates that come from an organization on the trusted list of CAs.
Browsers have a built-in list of installed Trusted CAs, known as: the Trusted CA Root repository. To be added to the Root repository of Trusted CAs and become a Certification Authority, a company must follow security checks and authentication standards established by web browsers.
An SSL certificate issued by a CA for an organization and its domain/website verifies that a trusted third party has authenticated its identity. Because browsers trust the CA, the browser also trusts the identity of the organization.
The browser tells the user that the site is secure, and that the user can feel safe while browsing the site and even entering their confidential information (e.g. credit card information).
What is SSL (Secure Sockets Layer)?
SSL is the standard security technology for establishing an encrypted link between a server and a client – usually a web server (website) and a browser, or a mail server and mail client (e.g. Outlook).
SSL allows sensitive information such as credit card numbers, social security numbers, and login information to be transported securely. Normally, data sent between the browser and the web server is passed back and forth in plain text – which makes you vulnerable to information theft. If an attacker intercepts all data sent between the browser and the web server, he can see and use this information.
More specifically, SSL is a secure protocol. Protocols describe how algorithms should be used. In this case, the SSL protocol defines the encryption variables for both the link and the data being transported.
All browsers are capable of interacting with secure web servers using the SSL protocol. Even so, the browser and the server need the so-called SSL Certificate to establish a secure connection.
SSL secures the data of millions of people on the Internet every day, especially during online transactions or when transporting confidential information. Internet users associate their online security with a lock icon on SSL-secured websites or a green address bar with Extended Validation SSL-secured SSL. SSL-secured websites are also started with https, not http.
If you already have a background in SSL Certificates and technology, you should learn more about SSL cryptography (SSL cryptography).
How does an SSL certificate establish a secure connection?
When a browser tries to access a website secured with SSL, the browser and the web server establish an SSL connection using a process known as the “SSL Handshake / SSL Handshake” (see diagram below) ). Note that the SSL Handshake is invisible to the user and occurs instantaneously.
In essence, three keys are used to establish an SSL connection: the public key, the private key, and the session key. Anything encrypted with the public key can only be decrypted with the private key, and vice versa.
Because encryption and decryption with private and public keys takes a lot of processing power, they only use SSL Handshake to generate symmetric session key. Once a secure connection is created, the session key is used to encrypt all transferred data.
- Browser connection to a web server (website) secured with SSL (https). The browser asks the server to identify itself.
- Server send a copy of its SSL Certificate, including the server’s public key.
- Browser checks the root certificate in the list of trusted CAs and that the certificate is not expired, has not been revoked, and that its common name is valid for the website it connects to. If the browser trusts the certificate, it generates, encrypts, and sends back a symmetric session key using the server’s public key.
- Server decrypts the symmetric session key using its private key and sends back an encrypted acknowledgment with the session key to initiate the encrypted session.
- Server and Browser now encrypts all transmitted data with the session key.
Is my certificate SSL or TLS?
SSL protocol always uses encryption and secures transmitted data. As time goes on, new and more secure versions are released, only the version number is changed to reflect the change (e.g. SSLv2.0). However, when the update came from SSLv3.0, instead of being called the new version SSLv4.0, it was renamed TLSv1.0. We are currently at version TLSv1.2.
Because the name SSL is still better known, the term is more commonly used, so many places including DigiCert also use the name SSL when referring to certificates or describing how data is transferred security delivery. When you purchase an SSL certificate from DigiCert (e.g. Standard SSL, Extended Validation SSL, etc.), you are actually using a TLS certificate (RSA or ECC).
What does an EV look like?
If your site collects credit card information you will need an SSL certificate which is a requirement as required by the PCI – Payment Card Industry. If your site has a login or receive/send private information (street address, phone number, health records, etc.), you must use an Extended Validation SSL Certificate certificates) to protect that data.
Your customers want to know that you value their security and take that information seriously. More and more customers are becoming savvy shoppers, and it’s a priority to develop buyer trust to help grow your business.
(Translated from the article What is an SSL certificate – Website: Digicert)