SSL Certificates Explained

If you want your server to communicate securely on the internet then you will need to get yourself an SSL certificate. But what is it and how does it work?
SSL certificates are designed to verify the identity of the server presenting the certificate and provide some initial security for the initial handshake phase of setting up an SSL/TLS communication between a client and server. The certificates are provided by certificate authorities who are responsible for validating the domain or business to which an SSL certificate is being provided. There are multiple levels of SSL certificates available that involve different levels of validation, features and warranty levels. When a certificate authority refers to the warranty level associated with an SSL certificate, it is referring to the amount it will cover in fraudulent credit cards activities that may result from the certificate authority failing to perform its checks correctly and mis-issuing an SSL certificate.
So let’s look at how an SSL certificate identifies your server.
When you apply for a certificate you need to provide an amount of information; what you provide is dependent on the level of validation required. The most basic level of validation is domain validation, and in this instance the Certificate Authority attempt to ascertain that the applicant is the owner of the domain name by having them respond to an email sent to one of a limited subset of email addresses associated with that domain.
If you were attempting to get an domain level SSL certificate for mydomain.com, you’d need to be able to access email sent to an address such as hostmaster@mydomain.com or webmaster@mydomain.com. These email addresses are usually reserved from third party use when domain owners let other people use subdomains of theirs, so it is deemed an acceptable check on who the owner of the domain is. In order to pass the validation test as the owner of the domain, you then need to be able to create a mailbox to receive email sent to the chosen email address and respond to it. This is the minimal level of identification required for a web browser to display a padlock icon in an address bar to show a secure connection.
The next level up is organization validation. In this case the applicant for the SSL certificate will need to provide their legal organization name, their business registration, address and domain. They will usually have the domain’s WHOIS information validated. As well as the previous level of domain validation taking place, the business will receive a telephone call to a verified business telephone number to confirm the business. Obviously the level of verification of whom the certificate is provided to increases the amount of trust that can be placed in the certificate, and web browsers will usually change the address bar colour to blue and include the business name in the address bar alongside the padlock icon to show this.
The top level of validation is extended validation. This level repeats much of what is outlined above, along with further checks as to the business premises existence, further telephone validation and cross referencing the business through other business databases. These certificates are the ones you see on almost every bank and business website where money is changing hands. In a web browser a site using these certificates will have the address bar coloured green as well as showing the registered business name and the padlock icon.
Once the application completes validation, the certificate authority then generates the certificate for the domain. This contains information such as the public encryption key for the server, details of the business or organisation the certificate was issued to, as well as details of the period for which it is valid. To verify the validity of the certificate the certificate authority also signs the certificate using their private key. All the certificate authorities have their own certificates which they publish containing their public keys. Using the public key on that certificate, the signature on the certificates issued by the authority for other domains can be verified and thus the certificate authenticated. Most software that deals with SSL certificates comes with a selection of the certificates for the certificate authorities to save the client from having to repeatedly download and verify their certificates each time.
Something to note here is that an SSL certificate only verifies a domain, not the server or IP address behind it. So an SSL certificate can be moved between servers where a domain is, eliminating the need to apply for a new certificate each time the domain is moved to a different server/IP, as long as its private key moves with it. Also, SSL certificates normally only identify a single domain; for example getting a certificate for mydomain.com won’t be valid for the subdomain www.mydomain.com. Wildcard SSL certificates can be purchased which are valid for a domain and any subdomains for it, but they are not verified to extended validation levels.
Chat to our tech support team about getting your SSL certificate in place.

SSL Certificates Explained

Popular This Week

What Is Tor?

Our Wireless Future

5 Ways To Get Your Geek On

What's In A Meme?

Copyright And The YouTube Battle

Recent posts

Make Hosting Easy With Managed Services & Support

How Data Analytics Can Help Fight Money Laundering

MySQL Tips And Tricks

How To Protect Servers Against Malware

5 Easy Ways To Reduce Latency