We usually move around areas that we think of as safe, buy food and medicine in places that we know are reputable, and do financial transactions through trusted institutions. As the Internet grows and evolves, so do our lives around it. We are increasingly spending more time online, and just like in the real world, we want to make our estancia as safe as possible. Secure Socket Layer certificates (SSL) are a great help to achieve this goal. We will be diving in about what is an SSL certificate, why it is important, and how we can get one.
What Is an SSL Certificate?
SSL certificates are part of our everyday online experience. When we access an SSL-secured site, one of the first things we can notice is that the site’s URL begins with “HTTPS” instead of “HTTP” in the address bar; This is indicative that our web browser was able to validate the authenticity of the certificate.
Secure Socket Layer (SSL) is a standard security protocol that enables servers (websites) and clients to create an encrypted connection. On the other hand, an SSL certificate is a digital certificate that uses the SSL/TLS protocol to authenticate the source (server) and establish a secure communication session.
Note: After SSLv3.0, the protocol was renamed to TLSv1.0, referencing “Transport Layer Security.” We are currently on TLSv1.3; however, since SSL is still widely used, most certificate authorities continue referring to the protocol as SSL/TLS. We will be using SSL to refer to the protocol moving forward.
SSL allows sending sensitive information securely. The encryption is vital because usually, the data exchange between browsers and servers happens in plain text, which is especially problematic since it leaves the door open to malicious actors that can intercept the communication and steal your information. With an encrypted communication session, even if someone intercepts your connection, it will be almost impossible for the attacker to decrypt the data, making these attacks ineffective.
An SSL certificate helps secure critical information or data exchanges, such as the following:
- Login credentials
- Financial transactions
- Personal information (name, address, ID number, cell phone number, etc.)
- Medical records
- Proprietary information
- Legal documents
In the image below, we can visualize how a trusted certificate looks like:
How Is The Secure Connection Created?
The exact mechanics of how this protocol works are relatively easy and all the process is developed without the user even being aware. We can break it down into four steps:
- When we try to access an SSL-secured site, both the client (our browser) and the server establish a connection called “SSL Handshake”. This is the initial attempt to create a secure session.
- The server sends the certificate along with the public key.
- The browser verifies 3 things:
- If the certificate was issued by a trusted entity (Certificate Authority).
- If the certificate is not expired.
- If the certificate was issued to the website we are trying to access (the domain name matches).
- If all of the above is verified correctly (if not, we will get an error message about the site not being secured), the browser sends a session key to create a secure communication channel effectively. The server’s private key can only decrypt that session key. If the server can decrypt the key and send back an acknowledgment, then the secure session is started, and the session key is used to encrypt all the data exchange.
We can see a visual representation of the process here:
If during this process something goes wrong, we will see a screen like the following:
Types of SSL Certificates
Before ordering an SSL certificate, we need to ask ourselves: which level of protection is necessary for our website? That is critical in determining what type of SSL suits best for us. We will take a look at the existing categories and their uses.
1. Domain Validated SSL (DV)
This is the most simple of all, and it’s obtained only by verifying the ownership of the domain. It does not require information about the company. Several web hosting plans offer this type of SSL for free, but depending on the Certificate Authority (CA), it can go up to US$50.00 or US$100.00. The verification method can be by sending an email to the site’s associated address, doing a DNS verification, or a Domain Control Validation (which involves uploading a text file for validation over port 80). The last two methods are common to control panels such as cPanel.
These types of certificates are good for sites that don’t need the highest level of security, and will usually be enough for most eCommerce sites.
2. Organizationally Validated (OV)
OV SSLs add another layer of verification, as organizational details must be included within the certificate. The CA must validate this information (usually organization name, physical address, and domain ownership) and can take a few days. As such, these offer a considerable level of trust. One of the drawbacks of these certificates is cost. If the organization has several domain names, those are added as “addons” to the primary certificate to cover them and any related IP addresses. This can pose a considerable increase in the certificate’s final price.
3. Extended validation (EV)
EV certificates offer the highest level of security among SSL certificates. Usually, when visiting sites with this certificate, users can see the padlock and company name highlighted in green. These are the hardest to obtain as they require the following information to be verified:
- Legal Existence and Identity of the company.
- Assumed Name.
- Verification of Operational Existence.
- Verification of Physical Existence.
- Verification of Domain Ownership.
- Verification of the name, title, authority, and signature of the person requesting the certificate.
Of course, the main advantage is that you will have a widely recognized and trusted certificate, which in turn gives your clients the highest level of confidence.
We can find Multi-Domain SSL certificates on each of the aforementioned categories; with one significant distinction, we can pack several domains within one certificate. For instance, if we have “mysite.com,” “mysite.do,” and “mysite.net,” it would be tedious and potentially costly to issue a certificate for each of them when we can include them into the same certificate.
The same goes for the wildcards SSL certificates. Instead of listing specific domains, we have the option to include a domain and all subdomains. Let’s take “mysite.com” as an example. If I set up a wildcard certificate for “*.mysite.com,” every subdomain (even the ones that don’t exist yet) of mysite.com will be included in the certificate, and thus it will have SSL coverage.
How Do I Get an SSL Certificate?
The procedure to obtain an SSL certificate might differ depending on your hosting company, the hosting plan, or the Certificate Authority we chose. Still, generally speaking, we need to follow two steps:
1- Generate a Certificate Signing Request (CSR).
2- Purchase the certificate, which is done by the CA signing the CSR.
Let’s take a typical example. We want to order an SSL from www.nexcess.net for a domain hosted on a Linux server. We need to generate the CSR and the private key (and the public key, although this is optional). The private key must be kept safe, as anyone with this file would be able to install the SSL certificate on another server and potentially cause damage.
Note that you can set up the CSR from within Siteworx’s control panel. Otherwise, to generate the CSR along with the private key from terminal, we can run the following command:
openssl req -new -newkey rsa:2048 -nodes -keyout /location/mysite.key -out /location/mysite.csr
Note: Substitute /location/mysite.csr and /location/mysite.csr with the actual location of the file. You can change the name “mysite” for your domain name. If you don’t specify the location, the files will be created in the current working directory.
After filling the form, we will be good to go. This is a sample of the required information to create the CSR:
Nexcess# openssl req -new -newkey rsa:2048 -nodes -keyout /etc/ssl/nexcess.key -out /etc/ssl/nexcess.csr
Generating a 2048 bit RSA private key
writing new private key to ‘/etc/ssl/nexcess.key’
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [XX]:US
State or Province Name (full name) :Michigan
Locality Name (eg, city) [Default City]:Southfield
Organization Name (eg, company) [Default Company Ltd]:Nexcess
Organizational Unit Name (eg, section) :Linux
Common Name (eg, your name or your server’s hostname) :nexcess.net
Email Address :firstname.lastname@example.org
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password :
An optional company name :
Once the files are generated, we will see that the CSR has the following format:
—–BEGIN CERTIFICATE REQUEST—–
—–END CERTIFICATE REQUEST—–
Whereas the private key:
—–BEGIN PRIVATE KEY—–
—–END PRIVATE KEY—–
Upon confirming that the files are good, we can now order a new SSL certificate from within our portal:
We then have to paste the CSR in the textbox:
Lastly, we just need to wait for the verification, which for a DV certificate should be no more than a few minutes. The SSL certificate’s installation process is beyond the scope of this article, but no worries, we have you covered. Please note that OV and EV certificates can take days to be verified.
SSL certificates play a significant role in maintaining our client’s trust and privacy, as well as our site’s reputation. Most web browsers and search engines are punishing sites that don’t have an SSL certificate set up, using the narrative that these certificates help the Internet become a safer environment. We should always aim to put our client’s integrity and security above all, and this is one of the ways to do it.
We Can Help! If you need additional or more specific information about this topic, contact our support team by email or through your Client Portal for 24-hour assistance any day of the year.