What are SSL certificates? An SSL certificate is a file containing data about an organization or some entity along with a cryptographically secure public key. The SSL certificate is the centerpiece for providing secure transactions between a client a server by containing the public key for encryption of data. The server holds the corresponding private key to decrypt the incoming data.
If you have an X509 SSL Certificate you would like to decode, visit our Certificate Decoder.
Why do I need an SSL certificate?
You have probably heard of Secure Sockets Layer (SSL), Transport Layer Security (TLS) and certificates. But it is likely you have no idea why you need an SSL certificate. What are SSL Certificates used for? Here are a few reasons:
- To provide secure communication between clients and your server including credit card information, usernames and passwords, and any sensitive information.
- To increase SEO ranking. With any SEO claim, you never know how any change will affect your rankings, but the word on the street is that SSL most certainly is affecting your rankings.
- To enhance trust from end-users. While there isn’t necessarily data to back this up, it is worthwhile to think that as SSL is pushed harder and harder by browsers that users will begin to expect a website to be backed by SSL. In other words, look for some indication that the site is secure whether that is a green padlock, the https protocol, or simply not seeing a message stating the site is insecure.
How do SSL certificates work?
SSL certificates work with asymmetric encryption to securely communicate between two entities. The certificate holds the public key which is discoverable publicly and the server holds the private key, known only by the server. The public key is used to encrypt the data while the private key is used to decrypt the data. If a hacker intercepts the data, it will be encrypted, and of no use.
How are SSL Certificates issued?
An SSL Certificate, also known as a TLS Certificate or PKI Certificate is issued from a Certification Authority. The Certification Authority stores its private key on a Hardware Security Module. After submitting a CSR (Certificate Signing Request) to the Certification Authority, the issuing CA will sign the certificate and make available for download and installation to you.
SSL Certificate wildcard
SSL certificates consist of a common name (CN) to identify the server. For server certificates, this is an FQDN, like example.com. Subject Alternative Names (SANs) are for other FQDNs the certificate will be installed at. For example, example1.com and example2.com. For organizations that will be protecting many servers and hosts with the same certificate, a wildcard certificate is a good candidate, like *.example.com.
How much does an SSL certificate cost?
SSL certificates are different prices depending on the type (DV, OV, EV, wildcard, multi-domain, etc) and the Certification Authority (CA).
Buy SSL certificates
These are just a few examples of trusted Certification Authorities (CAs) in no particular order. Read our article on generating a Certificate Signing Request (CSR) to submit to the CA as a part of your request.
Where are SSL Certificates stored?
When discussing SSL Certificates and their storage, it is really the storage of the corresponding private key that is critical. The certificate is by nature public, so no security is really needed since it will be discoverable and broadcast to the public. With Certificate Transparency requirements for publicly trusted SSL Certificates, this is inevitable.
The private key should be kept secure, else you risk a hacker having access to decrypt all of the traffic to the website being protected by your certificate. A keystore is a common location. The keystore should have a strong password stored separately from the keystore, preferably encrypted as well. The keystore is commonly a PKCS12 formatted keystore, but may be JKS or others.
How are SSL Certificates verified?
- The signature on the certificate must be verified.
- The date must be after the not_before date and before the not_after date of the certificate.
- The certificate must not be revoked. Revocation checking can be performed by looking at the issuing CA’s Certificate Revocation List (CRL) or OCSP.
- Verification of the certificate chain.
These are the most basic verification checks, but other legal checks and attribute checks are also performed.