In the early days of the World Wide Web, all website requests and responses were transferred in “plain text.” This made them potentially viewable by digital eavesdroppers, which made it risky to transmit things like passwords, credit card numbers, and other sensitive and personal information.
In the mid-’90s, in order to enable ecommerce and support the web transfer of confidential information, Netscape developed a cryptographic protocol for web content delivery and connection authentication called SSL (Secure Sockets Layer), which later evolved into another protocol called TLS (Transport Layer Security).
While both protocols differ in terms of core algorithms, security, and the ports they support, they both function in generally the same way—by using a digital technology called an SSL certificate.
What is a Secure Sockets Layer (SSL) certificate?
SSL证书是一个数字证书uthenticates the identity of a website and enables an encrypted connection between a website and a browser. It is sometimes called an “SSL/TLS certificate” or simply a “cert.”
An SSL certificate supporting a TLS connection guarantees (a) the identity of the remote connection, and (b) that no one can read or modify the content shared over the secure connection except the sender and recipient. An SSL certificate acts both like a passport to verify the identity of the site owner who needs to support SSL, and like a key to support strong encryption.
SSL certificates are issued by organizations called certificate authorities, or CAs. A CA is a trusted organization that guarantees the identity of a website. They are trusted because they are few in number, well-known, and must clear high barriers to entry. There are just over 100 certificate authorities worldwide, and they are audited to be included as a trusted root by the vendors of web browsers and operating systems. Before issuing a certificate, the CA verifies the certificate requester’s information, like site ownership, name, location, and more, according to established industry standards. The CA also digitally signs the certificate with their own private key, enabling clients to verify it. For providing this service, most CAs charge a small annual fee (although free SSL certs are available from someweb hostsand nonprofit CAs).
The actual SSL certificate is a small digital file, typically a few kilobytes, that is installed on the server supporting TLS and shared with others. This file contains:
- The domain name of the site for which the cert was issued
- The organization to which it was issued (the certificate holder)
- The name of the issuing CA
- The CA’s digital signature
- Any associated subdomains
- The certificate issue date and expiration date
- The public key (note: The private key is not shared)
Whenever you use a browser to connect to a URL beginning with “https,” or see the little padlock in the browser address bar, you know that you have a secure TLS connection verified by an SSL certificate issued by a CA. While this means connection to the site is secure, it does not necessarily mean that the site content is safe to use! Just because you can connect securely to a site doesn’t mean it’s not controlled by nefarious actors. If you click on the padlock your browser will display additional information about the certificate, the domain owner, and the connection.
How does an SSL certificate work?
A SSL certificate uses encryption algorithms to scramble data in transit. This ensures that any data transferred between a browser and a website remains impossible for a third party to read.
Secure communication over TLS relies on two certificates—one public, and one private—to create the secure connection.
当浏览器尝试连接到一个website secured with TLS, that communication is established by a “handshake,” or back-and-forth communication that only takes a few milliseconds. The steps in this handshake are:
- The client (browser) connects to the SSL-secured website (server).
- The client asks the server to identify itself.
- The server sends over a copy of its SSL certificate.
- The client examines the SSL certificate for trustworthiness and signals to the server if it passes.
- The server initiates a digitally signed agreement to start an SSL-encrypted session.
- Encrypted data now flows freely and safely between the browser and the server.
The initial handshake happens using asymmetric encryption, based on public and private keys. After validation, the client and server exchange temporary private keys, used only for the session. This allows for more efficient encryption and decryption.
Types of SSL certificates
- Domain Validated (DV) Certificate
- Organization Validated (OV) Certificate
- Extended Validated (EV) Certificate
Domain Validated (DV) Certificate
Cost: $0-$99 per year
A DV certificate involves only a minimal, automated identity verification, establishing only that the owner has control over the domain or subdomain. This is usually accomplished by email.
A DV certificate is the least expensive way to obtain a cert, and most free certificates are of this type. However, it represents the lowest standard of security. DV certs are useful for blogs, individual websites, small businesses, or any site with the most basic security needs.
Organization Validated (OV) Certificate
Cost: $100-$999 per year
An OV certificate offers a stronger guarantee of the identity of the bearer. In order to obtain an OV certificate, the purchaser must pass nine validation checks.
This is a mid-level business certificate, and the issuing CA guarantees that the organization affiliated with the certificate is valid and in good standing. This is a good approach for businesses not conducting financial or ecommerce transactions through their site.
Extended Validated (EV) Certificate
Cost: $1,000+ per year
An EV certificate represents the highest level of identity verification, most suitable for corporations, financial entities, and ecommerce sites. Sixteen validation checks are involved, including both legal identity and physical location.
The end user sees a green browser bar, indicating the highest level of verification, as well as additional corporate information behind the padlock.
What if you need to secure multiple domains?
A standard SSL certificate secures a single domain name. Many organizations wish to secure multiple subdomains on the same certificate (e.g., mail.example.com, shop.example.com), reducing costs and simplifying administration.
This can be accomplished using a wildcard SSL certificate, which secures the primary domain and multiple “subject alternative names” (SANs, representing the subdomains). SANs can also be added which support multiple domains; this is called a multiple domain certificate.
How to get an SSL certificate
Determine the level of security required.
Determine the domains and subdomains to be supported.
Choose a certificate authority/provider.
Request the certificate from the chosen provider.
Verify domain ownership and other criteria.
Obtain and install the certificate.
其他应用程序配置为使用证书。
Confirm your secure connection is working.
Submit your site(s) to search engines.
DV, OV, or EV. Review your organizational needs and budget and choose the level of identity verification appropriate.
If you only have one, you may not need to obtain a wildcard certificate.
For lower-end needs, you may just need to work with your web hosting provider and obtain a free cert. Multi-domain and EV certs will involve a paid relationship with a certificate authority. Shop around.
This generally involves filling out web forms and making payments.
The CA will follow up to verify the information you submitted in your application, at a minimum requiring email verification of domain ownership.
This depends greatly on the CA you choose and your web platform. Generally, you will download a ZIP file containing three keys: the public key, the private key, and a certificate authority bundle. If you are working with a commercial web host, the administration console for your site will usually include tools for certificate installation.
If you are working on your own hardware, closer to the operating system and web server, then follow the documentation for that environment.
If you intend to support SSL connections to other applications on your servers (e.g., WordPress, email, etc.), then you will need to configure them to use your certificate and the TLS protocol.
Connect to your website and/or other apps and ensure that you have a secure connection. Click on the padlock and review the information displayed in your browser.
Your new "https" sites are distinct from your old "http" sites. If your users rely on search engines to find you, you will need to re-submit your new https URLs to those engines for indexing.
What is an SSL certificate FAQ
What is an SSL certificate and how does it work?
A secure sockets layer (SSL) certificate is used to authenticate the identity of a website and provide an encrypted connection between a website and a browser. SSL certificates are small digital files that contain information about a website's domain, where it was registered, to whom it was registered, when it was registered, and any associated subdomains.
What is the purpose of an SSL certificate?
An SSL certificate can guarantee the identity of the remote connection and that no one can read or modify content shared over a secure connection between a sender and recipient. This is crucial in ensuring the privacy of sensitive information like credit card numbers.
Is an SSL certificate necessary?
An SSL certificate is necessary for any website requiring users to enter personal information, but even if a website doesn’t require the entry of any information, SSL certificates are still highly recommended. This is because web-browsers typically warn users of unsecure websites, resulting in a huge loss of potential traffic without an SSL.
On top of this, unsecured websites are de-prioritized in search engine results, making it very difficult to bring traffic to your site without an SSL.
How do I get an SSL certificate?
- Determine the level of security required.
- Determine the domains and subdomains to be supported.
- Choose a certificate authority/provider.
- Request the certificate from the chosen provider.
- Verify domain ownership and other criteria.
- Obtain and install the certificate.
What is the difference between SSL and TLS?
Transport layer security (TLS) is the successor to SSL. Although TLS offers some improvements over SSL, the terms are often used interchangeably. Both protocols work in the same way, using encryption to secure the transfer of data between sender and recipient.
What types of SSL certificates are there?
- Domain Validated (DV) Certificate
- Organization Validated (OV) Certificate
- Extended Validated (EV) Certificate