What is an SSL certificate
An SSL certificate is a digital certificate that authenticates the identity of a website and allows an encrypted connection. SSL stands for Secure Sockets Layer, a security protocol that creates an encrypted link between a web server and a web browser.
Businesses and organizations should add SSL certificates to their websites to protect online transactions and keep customer information private and secure.
In short: SSL keeps Internet connections secure and prevents criminals from reading or modifying information transferred between two systems. When you see a lock icon next to the URL in the address bar, that means SSL protects the website you’re visiting.
Since its inception some 25 years ago, there have been several versions of the SSL protocol, all of which at some point had security issues. A revamped and renamed version followed: TLS (Transport Layer Security), which is still in use today. However, the initials SSL stuck, so the new version of the protocol is still usually called by the old name.
How do SSL certificates work? SSL
works by ensuring that any data transferred between users and websites, or between two systems, remains unreadable. It uses encryption algorithms to scramble data in transit, preventing hackers from reading it as it is sent over the connection. This data includes potentially sensitive information such as names, addresses, credit card numbers, or other financial details.
process works like this:
A browser or server
- tries to connect to a website (i.e. a web server) secured with SSL.
- web server sends the browser or server a copy of your SSL certificate in response. The browser or server
- checks whether it trusts the SSL certificate. If it does, it points it to the web server.
- The web server then returns a digitally signed acknowledgment to initiate an SSL-encrypted session.
- The encrypted data is shared between the browser or server and the web server.
The browser or server requests that the web server identify itself. The
This process is sometimes referred to as an “SSL handshake.” While it sounds like a long process, it takes place in milliseconds.
When a website is secured by an SSL certificate, the acronym HTTPS (which stands for Hypertext Transfer Protocol Secure) appears in the URL. Without an SSL certificate, only the letters HTTP will appear, i.e. without the S for secure. A lock icon will also be displayed in the URL address bar. This indicates confidence and provides peace of mind to those who visit the website.
To view the details of an SSL certificate, you can click on the padlock symbol located inside the browser bar. Details typically included in SSL certificates include:
- domain name for which the
- person, organization, or device it was issued to Which
- issued it
- digital signature
- Associated subdomains
- Certificate issue date Certificate
- The public key (the private key is not revealed)
certificate was issued Which
of the certificate authority
Why you need an
Websites need SSL certificates to keep user data safe, verify website ownership, prevent attackers from creating a fake version of the site, and convey trust to
If a website asks users to log in, enter personal data like their credit card numbers, or view sensitive information like health benefits or financial information, then it’s essential to keep the data confidential. SSL certificates help keep online interactions private and assure users that the website is authentic and safe for sharing private information.
More relevant for businesses is the fact that an SSL certificate is required for an HTTPS web address. HTTPS is the secure form of HTTP, which means that HTTPS websites have their traffic encrypted by SSL. Most browsers label HTTP sites, those without SSL certificates, as “not secure.” This sends a clear signal to users that the site may not be trustworthy, incentivizing companies that haven’t migrated to HTTPS.
An SSL certificate
information such as:
- Login credentials
- Credit card transactions or bank account
- Personally identifiable information, such as full name, address, date of birth, or phone number
- Legal documents and contracts
- Medical records
- Property Information Types of
SSL There are different types of SSL certificates with different levels of validation. The six main types are:
Extended Validation Certificates (EV SSL) Organization Validated Certificates (OV SSL)
- Domain Validated
- Unified Communications Certificates (UCCs
- Extended Validation Certificates (EV
Certificates (DV SSL)
SSL Certificates (MDCs)
This is the highest ranking and most expensive type of SSL certificate. It tends to be used for high-profile websites that collect data and involve online payments. When installed, this SSL certificate displays the padlock, HTTPS, company name, and country in the browser’s address bar. Displaying website owner information in the address bar helps distinguish the site from malicious sites. To set up an EV SSL certificate, the website owner must go through a standardized identity verification process to confirm that they are legally authorized to exclusive rights to the domain.
Organization Validated Certificates (OV SSL)
This version of the SSL certificate has a similar level of assurance to the EV SSL certificate, as to obtain one; the website owner must complete a substantial validation process. This type of certificate also displays the website owner’s information in the address bar to distinguish it from malicious sites. OV SSL certificates tend to be the second most expensive (after EV SSLs), and their primary purpose is to encrypt sensitive user information during transactions. Commercial or public websites must install an OV SSL certificate to ensure that any shared customer information remains confidential.
Domain Validated Certificates (DV SSL)
The validation process for obtaining this type of SSL certificate is minimal, and as a result, Domain Validation SSL certificates provide lower security and minimal encryption. They tend to be used for informational blogs or websites, i.e. they don’t involve data collection or online payments. This type of SSL certificate is one of the least expensive and fastest to obtain. The validation process only requires website owners to prove domain ownership by replying to an email or phone call. The browser’s address bar only shows HTTPS and a padlock without the company name being displayed.
Wildcard SSL certificates Wildcard
SSL certificates allow you to secure a base domain and unlimited subdomains in a single certificate. If you have multiple subdomains to protect, then purchasing a wildcard SSL certificate is much less expensive than buying individual SSL certificates for each of them. Wildcard SSL certificates have an asterisk * as part of the common name, where the asterisk represents any valid subdomain that has the same base domain. For example, a single wildcard certificate for *website
can be used to protect:
- login.yourdomain.com mail.yourdomain.com download.yourdomain.com
Multi-domain SSL certificate (MDC) A multi-domain certificate
can be used to secure many domains and/or subdomains. This includes combining completely unique domains and subdomains with different TLDs (top-level domains), except local/internal ones.
Multidomain certificates do not support subdomains by default. If you need to protect both www.example.com and example.com with a multi-domain certificate, both host names must be specified when obtaining the certificate.
Unified Communications Certificate (UCC)
Unified Communications Certificates (UCC)
are also considered multi-domain SSL certificates. UCCs were initially designed to protect Microsoft Exchange and Live Communications servers. Today, any website owner can use these certificates to allow multiple domain names to be protected in a single certificate. UCC certificates are organizationally validated and display a padlock in a browser. UCCs can be used as EV SSL certificates to give website visitors the highest security through the green address bar.
It is essential to be familiar with the different types of SSL certificates to get the right type of certificate for your website.
How to obtain a certificate
certificates can be obtained directly from a certificate authority (CA). Certificate authorities, sometimes also referred to as certificate authorities, issue millions of SSL certificates each year. They play a critical role in how the internet works and how transparent and trustworthy interactions can occur online.
The cost of an SSL certificate can range from free to hundreds of dollars, depending on the level of security you need. Once you decide on the type of certificate you need, you can look for certificate issuers, which offer SSL at the level you need.
Obtaining your SSL involves the following steps:
Prepare by setting up your server and
- making sure your WHOIS record is up to date and matches what you are sending to the Certificate Authority (you must show the correct company name and address, etc.)
- Generate a certificate signing request (CSR) on your server. This is an action that your hosting company can help with.
- Send this to the Certificate Authority to validate your domain and company details
- Install the certificate they provide once the process is complete.
Once obtained, you need to set up the certificate on your web host or on your own servers if you host the website yourself.
How quickly you receive the certificate depends on the type of certificate you obtain and the certificate provider from which you obtain it. Each validation level takes a different period of time to complete. A simple domain validation SSL certificate can be issued within minutes of being requested, while extended validation can take up to a full week.
Can I use an SSL certificate on multiple
It is possible to use an SSL certificate for multiple domains on the same server. Depending on the provider, you can also use one SSL certificate on multiple servers. This is due to multi-domain SSL certificates, which we discussed earlier.
As the name implies, multi-domain SSL certificates work with multiple domains. The number is left to the specific issuing certificate authority. A multi-domain SSL certificate is different from a single-domain SSL certificate, which, again, as the name implies, is designed to protect a single domain.
To make things confusing, you might hear multi-domain SSL certificates, also known as SAN certificates. SAN stands for Subject Alternative Name. Each multidomain certificate has additional fields (that is, SAN), which you can use to list additional domains that you want to cover under one certificate.
Unified Communications Certificates (UCCs) and wildcard SSL certificates also allow multiple domains and, in the latter case, an unlimited number of subdomains
What happens when an SSL certificate expires?
SSL certificates expire; they don’t last forever. The Certificate Authority/Browser Forum, which serves as the de facto regulatory body for the SSL industry, states that SSL certificates must have a lifespan of no more than 27 months. This essentially means two more years that you can transfer up to three months if you renew with the time remaining on your old SSL certificate.
SSL certificates expire because, as with any form of authentication, the information must be periodically revalidated to verify that it remains accurate. Things change on the internet, as companies and also websites are bought and sold. As they change hands, the information relevant to SSL certificates also changes. The purpose of the expiration period is to ensure that the information used to authenticate servers and organizations is as up-to-date and accurate as possible.
SSL certificates could be issued for up to five years, which were subsequently reduced to three, and more recently to two years plus an additional potential of three months. In 2020, Google, Apple, and Mozilla announced that they would apply one-year SSL certificates, even though this proposal was rejected by the Certificate Authority Browser Forum. This came into effect from September 2020. It is possible that in the future, the duration of validity will be further reduced.
When an SSL certificate expires, it makes the site in question inaccessible. When a user’s browser arrives at a website, it checks the validity of the SSL certificate in milliseconds (as part of the SSL handshake). If the SSL certificate has expired, visitors will receive a message with the following effect: “This site is not secure. Potential risk ahead.”
While users have the option to continue, it is not advisable to do so, given the cybersecurity risks involved, including the possibility of malware. This will have a significant impact on bounce rates for website owners, as users quickly click on the homepage and go somewhere else.
Staying on top of when SSL certificates expire presents a challenge for larger companies. While small and medium-sized businesses (SMBs) may have one or just a few certificates to manage, enterprise-level organizations that potentially transact across markets, with numerous websites and networks, will have many more. At this level, allowing an SSL certificate to expire is usually the result of oversight rather than incompetence. The best way for larger companies to stay on top of when their SSL certificates expire is by using a certificate management platform. There are several products on the market, which you can find by an online search. This allows businesses to view and manage digital certificates across their entire infrastructure. If you use one of these platforms, it’s important to log in regularly so you can know when renewals are due.
If you allow a certificate to expire, the certificate becomes invalid and you will no longer be able to execute secure transactions on your website. The certification authority (CA) will ask you to renew your SSL certificate before the expiration date.
Whichever certificate authority or SSL service you use to obtain your SSL certificates will send you expiration notifications at set intervals, usually starting at 90 days. Try to ensure that these reminders are sent to an email distribution list, rather than to a single person, who may have left the company or moved to another role by the time the reminder is sent. Think about which stakeholders in your company are on this mailing list to ensure the right people see reminders at the right time.
How to tell
if a site has an SSL certificate
The easiest way to see if a site has an SSL certificate is by looking at the address bar in your browser:
- If the URL starts with HTTPS instead of HTTP, that means the site is secured by an SSL certificate.
- Secure sites display a closed padlock emblem, The one you can click to see the security details: The most trusted sites will have green padlocks or address bars.
- Browsers also display warning signs when a connection is not secure, such as a red padlock, a padlock that is not closed, a line passing through the website address, or a warning triangle at the top of the padlock emblem.
How to ensure your online
session is secure
Only send your personal details and online payment details to websites with EV or OV certificates. DV certificates are not suitable for e-commerce websites. You can tell if a site has an EV or OV certificate by looking at the address bar. For an EV SSL, the organization name will be visible in the address bar itself. For an SSL OV, you can view the organization name details by clicking the lock icon. For a DV SSL, only the lock icon is visible.
Watch for signs or indicators of trust on websites. In addition to SSL certificates, these include reputable logos or badges that show that the website meets specific security standards. Other signs that can help you determine if a site is real or not include verifying a physical address and phone number, checking its return or refund policy, and making sure the prices are credible and not too good to be true.
Stay alert to phishing scams. Sometimes cyber attackers create websites that mimic existing websites to trick people into buying something or logging into their phishing site. It is possible for a phishing site to obtain an SSL certificate and thus encrypt all traffic flowing between you and it. A growing proportion of phishing scams occur on HTTPS sites, fooling users who feel reassured by the presence of the padlock icon.
To avoid these types of attacks:
- Always examine the domain of the site you are on and make sure it is spelled correctly. The URL of a fake site may differ by a single character, for example, amaz0n.com rather than amazon.com. When in doubt, type the domain directly into your browser to make sure you’re connecting to the website you want to visit.
- Never enter logins, passwords, banking credentials, or any other personal information on the site unless you are sure of their authenticity.
- Always consider what a particular site offers, whether it looks suspicious, and whether you really need to register on it.
- Make sure your devices are well protected: Kaspersky Internet Security compares URLs with an extensive database of phishing sites and detects scams regardless of how “safe” the resource seems.
Cybersecurity risks continue to evolve, but understanding the types of SSL certificates to look out for and how to distinguish a secure site from a potentially dangerous one will help internet users avoid scams and protect their personal data from cybercriminals.
- Tips on how to prevent ransomware attacks
- run a virus scan the right
- way What is a security breach?
- How to protect your privacy from hackers