What are SSL certificates? Why you need SSL.

Question: What are SSL certificates?

Answer: An SSL certificate is a file containing data about an organization or some entity along with a cryptographically secure public key. The SSL certificate is the centerpiece for providing secure transactions between a client and server by containing the public key for encryption of data. The server holds the corresponding private key to decrypt the incoming data.

The SSL Certificate is a digital representation of the organization or website you are visiting when being used on a web server. Because it is digital, it is cryptographically secure and signed by a trusted CA (Certification Authority) to ensure the client that the website belongs to the organization the client thinks they are visiting. In other words, the SSL Certificate provides a company or organization with a digital identity binding it to a domain name.

When visiting a website that you will be transferring sensitive data with, it is vital to ensure the address in the url is prefixed with https and not http. Some browsers now default to not showing the protocol so you may need to click (or double click) on the address bar to see whether or not the protocol is https.

As you can see in the picture above, there is a gray padlock and the https protocol prefixed to the beginning of the domain name. This example was using the Brave web browser and requires a double click in the address bar to display the protocol.

Alternatively, if the website is not using the https protocol a warning will be given.

If you have an X509 SSL Certificate you would like to decode, visit our Certificate Decoder.

Why do I need an SSL certificate?

You have probably heard of Secure Sockets Layer (SSL), Transport Layer Security (TLS) and certificates. But it is likely you have no idea why you need an SSL certificate. What are SSL Certificates used for? Here are a few reasons:

To provide secure communication between clients and your server including credit card information, usernames and passwords, and any sensitive information.
To increase SEO ranking. With any SEO claim, you never know how any change will affect your rankings, but the word on the street is that SSL most certainly is affecting your rankings.
To enhance trust from end-users. While there isn’t necessarily data to back this up, it is worthwhile to think that as SSL is pushed harder and harder by browsers that users will begin to expect a website to be backed by SSL. In other words, look for some indication that the site is secure whether that is a green padlock, the https protocol, or simply not seeing a message stating the site is insecure.

How do SSL certificates work?

SSL certificates work with asymmetric encryption to securely communicate between two entities. The certificate holds the public key which is discoverable publicly and the server holds the private key, known only by the server. The public key is used to encrypt the data while the private key is used to decrypt the data. If a hacker intercepts the data, it will be encrypted, and of no use.

How are SSL Certificates issued?

An SSL Certificate, also known as a TLS Certificate or PKI Certificate is issued from a Certification Authority. The Certification Authority stores its private key on a Hardware Security Module. After submitting a CSR (Certificate Signing Request) to the Certification Authority, the issuing CA will sign the certificate and make available for download and installation to you.

SSL Certificate wildcard

SSL certificates consist of a common name (CN) to identify the server. For server certificates, this is an FQDN, like example.com. Subject Alternative Names (SANs) are for other FQDNs the certificate will be installed at. For example, example1.com and example2.com. For organizations that will be protecting many servers and hosts with the same certificate, a wildcard certificate is a good candidate, like *.example.com.

Comodo Wildcard SSL Certificate (DV) (200x200)

How much does an SSL certificate cost?

SSL certificates are different prices depending on the type (DV, OV, EV, wildcard, multi-domain, etc) and the Certification Authority (CA).

Buy SSL certificates

These are just a few examples of trusted Certification Authorities (CAs) in no particular order. Read our article on generating a Certificate Signing Request (CSR) to submit to the CA as a part of your request.

What data does an SSL Certificate contain?

X.509v3 SSL Certificates are defined by RFC-5280. The certificate decoder in our SSL tools is educational in that it decodes each part of the certificate and links to the specific RFC-5280 section that describes each part.

The primary parts of the certificate include the following:

Serial number – This value should be unique to the issuing Certification Authority.
Subject DN – Contains at a bare minimum the Common Name (CN). Additional values may be Organization (O), Organization Unit (OU), Street, Locality, State, Postal Code, and Country.
Issuer – The Subject DN of the issuing CA.
Subject Alternative Names – This is a list of additional domain names secured by the same certificate.
CRL Distribution points – The URLs where the CRL (Certificate Revocation List) can be found.
Public Key Info – Includes the key algorithm used for generating the asymmetric key pair, the key size, its exponent, and modulus.
Basic Constraints
Key Usages – The intended key usages of the certificate. For example, for digital signatures and key encipherment.
Extended key usages – For example, server authentication and client authentication.
Subject Key Identifier
Authority Key Identifier
Authority info (AIA) – For example, the url for the OCSP responder and the url to the issuing CA certificate.
Certificate Policies – Policies the SSL certificate is required to abide by.
Signed Certificate Timestamps – Certificate Transparency requirement showing which logs the certificate was sent to for transparency.
Validity – The validity period of the SSL Certificate.

Again, for more information on the data described above, use our certificate decoder to inspect your certificate.

Where are SSL Certificates stored?

When discussing SSL Certificates and their storage, it is really the storage of the corresponding private key that is critical. The certificate is by nature public, so no security is really needed since it will be discoverable and broadcast to the public. With Certificate Transparency requirements for publicly trusted SSL Certificates, this is inevitable.

The private key should be kept secure, else you risk a hacker having access to decrypt all of the traffic to the website being protected by your certificate. A keystore is a common location. The keystore should have a strong password stored separately from the keystore, preferably encrypted as well. The keystore is commonly a PKCS12 formatted keystore, but may be JKS or others.

How are SSL Certificates verified?

The signature on the certificate must be verified.
The date must be after the not_before date and before the not_after date of the certificate.
The certificate must not be revoked. Revocation checking can be performed by looking at the issuing CA’s Certificate Revocation List (CRL) or OCSP.
Verification of the certificate chain.

These are the most basic verification checks, but other legal checks and attribute checks are also performed.

SSL Certificate Validation

There are three ways certificate requests must be validated before a CA (Certification Authority) will issue a certificate for the request. Click on each validation type for a deep dive into each validation type.

Domain Validation (DV) – Validation is performed on the domain. Can be automated and is the quickest method.
Organization Validation (OV) – Validation is performed on the organization and includes O= in the Subject DN of the issued SSL certificate.
Extended Validation (EV) – DV + OV + additional validation which looks at the organization’s status as a legal entity.

Conclusion

Verify parts of a certificate with OpenSSL or our Certificate Decoder. Please leave us a comment with any questions about SSL Certificates that we have not yet answered.