Fundamentals of SSL - How SSL Certificates Work
SSL (Secure Sockets Layer), currently referred to as TLS (Transport Layer Security), is an internet encryption protocol that ensures secure online communications. While SSL is considered the legacy form of TLS, both acronyms are commonly used interchangeably.
Websites secured with SSL have an HTTPs web address. SSL/TLS secures communication channels between clients and servers to protect user data and prevent fraudulent activities. This is made possible with a process known as the TLS handshake. The TLS handshake involves the exchange of public keys between clients and servers. When a user lands on your website, the browser asks the server for the SSL certificate to authenticate the website and establish a secure communication channel over HTTPS.
Session keys are generated to uniquely identify and secure each session separately, which is essential for encrypting and decrypting the data after the handshake process. The same process takes place during DNS over HTTPS queries and API calls.
One of the key foundations of SSL/TLS is asymmetric encryption, which involves using unique public and private keys. The public key is made openly available by the server and encrypts data, while the message’s receiver decrypts it with the corresponding private key.
Asymmetric encryption adds multiple protection layers in critical communications to prevent malicious actors from accessing sensitive data. Beyond encryption, SSL/TLS authenticates the server’s identity to prevent tampering, providing protection for both user-submitted data and information retrieved from websites.
SSL Certificate
SSL Certificate Types
There are several types of SSL certificates, each serving different business requirements based on the size of the business. These include:
-
Single Domain SSL Certificates: A single domain SSL certificate applies to one domain only. They can’t be used to authenticate any other domain, including subdomains. All pages on the specified domain are secured with this certificate.
-
Wildcard SSL Certificates: A wildcard SSL certificate is designed for a single domain and all its subdomains. For instance, if google.com has a wildcard certificate, subdomains such as support.google.com and blog.google.com would also be secured with the same certificate.
-
Multi-Domain SSL Certificates (MDC): MDCs secure multiple domains using the same cryptographic digital certificate. This includes both unique domains and subdomains.
SSL certificates can also be classified based on their validation level as follows:
-
Domain Validated (DV) SSL Certificates: DV SSL certificates validate the domain’s ownership. A DV certificate is considered the most basic level of encryption for a website. However, the certificate verifies the person or entity that controls the domain, regardless of whether they own it.
-
Organisation Validated (OV) SSL Certificates: OV certificates go beyond the verification of DV certificates by verifying the legitimacy of the organisation behind the domain. It may not be visible that a website has an OV certificate in the address bar, but it does provide the needed communication encryption.
-
Extended Validation (EV) SSL Certificates: An EV SSL certificate is similar to an OV certificate but with a more rigorous vetting and verification process. Unlike OV certificates, EV certification appears in the address bar, which increases visitor trust.
Self-Signed SSL Certificates
A self-signed SSL certificate is a type of digital certificate that’s by the same entity that runs the website. In other words, a self-signed SSL certificate isn’t issued by a Certificate Authority (CA) and doesn't require the certificate authority's digital signature.
Many new website owners opt for self-signed SSL certificates because they’re easy to obtain. They’re also cost-effective as many self-signed SSL certificates are free.
However, despite their advantages, self-signed SSL certificates come with their own share of risks. First, they don’t comply with security updates. They also can’t be revoked, further questioning their reliability in protecting user data. Cyber security professionals agree that a self-signed SSL certificate isn’t enough to trust a website and poses significant security risks. They can, however, be used with caution in restricted servers and internal testing or other scenarios where keeping user data secure isn't the top priority.
Changes in the SSL Space
SSL Validity Period
As of September 1, 2020, industry standards have limited the maximum validity of SSL certificates to one year. Any SSL certificate purchased, renewed, or reissued after this date will have a maximum validity of one year. When an SSL certificate is no longer valid, visitors may see “Not Secure” warnings, and data exchanged over the site could be insecure.
However, the SSL validity period may be reduced again in the foreseeable future. In the CA/B Forum face-to-face meetings held in March 2023, Google announced that it’s planning to reduce maximum certificate validity to 90 days or roughly 3 months for all publicly trusted SSL/TLS certificates.
SSL Certificate Renewal
An SSL certificate can be renewed up to 90 days in advance of its expiration date. When renewing, it’s recommended that you create a new CSR (Certificate Signing Request) as this will create a new pair of keys for the certificate.
In case your website’s details were different in the CSR, it’s best practice to submit revised documentation for verification. Once the SSL certificate’s renewal is approved, you can install the renewed certificate.
SSL Certificate Expiration Check
To check for certificate expiration, follow these steps:
-
Tap on the padlock icon in the browser’s address bar
-
Choose “Connection is secure” then “Certificate is valid.”
-
Check the “Valid from…to…” property to confirm the certificate’s validity
SSL Best Practices
SSL Certificate Management
Among the SSL certificate management best practices that you should implement include:
-
Maintaining a comprehensive list of all SSL certificates used across your domains and subdomains to stay on top of expiration dates. Automating the certificate renewal process with Certificate Automation Manager tools to prevent extended downtime due to expired certificates.
-
Creating and enforcing internal policies for certificate issuance, renewal, and revocation for consistency.
-
Storing private keys securely using hardware security modules (HSMs) instead of storing them on individual devices.
-
Implementing Role-Based Access Control (RBAC) to maintain zero-trust and provide users with the lowest possible access privileges based on their roles.
SSL Encryption Standards
-
Use Transport Layer Security (TLS) version 1.3 or the latest version for optimal security and eliminate vulnerabilities as recommended by the Australia Signals Directorate.
-
Implement strong cipher suites that offer perfect forward secrecy (PFS) to prevent past sessions from being decrypted in case the server’s private key was lost or compromised.
-
Deploy Certificate Transparency (CT), which logs all certificates in your database and makes it easier to revoke compromised certificates.
-
Regular audits: Regularly assess your SSL configuration’s health and adherence to your internal policies and regulatory compliance standards.
GlobalSign
GlobalSign is a globally recognised Certificate Authority (CA) that specialises in providing robust SSL/TLS certificates. GlobalSign offers fully trusted X.509 SSL/TLS certificates that maintain a secure connection across browser/server and user/browser communication channels with an HTTPs connection. With industry-leading encryption and authentication, CodeBlue keeps your sensitive customer data safe. which ensure secure communication between users and websites.
Why Choose Commercial SSLs Over Complimentary SSLs?
-
Reliability: Commercial SSL certificates, like those from GlobalSign, are backed by a reputable CA. They undergo rigorous validation processes, ensuring their authenticity and reliability.
-
Wider Browser Compatibility: CA-issued SSLs are recognised by all major web browsers, whereas some free certificates (like Let’s Encrypt) may not be universally accepted.
-
Security: Commercial SSLs are compatible with security updates and provide the highest level of encryption for your website.
-
Compliance: Commercial SSL certificates are compliant with country-specific legislation and Cybersecurity data protection standards, such as GDPR (General Data Protection Regulation) in the European Union, PIPEDA (Personal Information Protection and Electronic Documents Act) in Canada, and CCPA (California Consumer Privacy Act) in the United States.
-
Extended Validation (EV) Certificates: Commercial EV certificates display the organisation’s name in the address bar, enhancing user trust.
-
Warranty: CA-issued SSLs come with warranties that cover financial losses due to certificate-related issues.
Commercial SSL Certificate Use Cases
-
Website security: SSL certificates protect your website and its visitors from eavesdropping, data interception, and tampering. They encrypt data transmitted between the user’s browser and your server.
-
Secure credit card transactions: E-commerce websites must use SSL to secure credit card transactions and prevent fraudulent activities.
-
Authentication: SSL certificates verify the identity of your website, enabling you to earn your users’ trust.
-
SEO Boost: Google considers SSL as a ranking factor. Websites with SSL certificates tend to rank higher in search results as they’re more trusted and credible.
-
Compliance: Many regulations (such as GDPR in the EU) require data protection. SSL helps meet these legal requirements.
How GlobalSign Can Help
GlobalSign offers comprehensive SSL certificate solutions for both internal and public servers. Our range of solutions include Extended Validation (EV), Organisation Validated (OV), Wildcard, and Multi-domain certificates, with support for up to 100 Subject Alternative Names (SANs).
GlobalSign SSL Benefits
-
Instant certificate issuance: Domains are pre-vetted, allowing for immediate issuance of certificates on demand.
-
Automated Certificate Management: GlobalSign Atlas is a pre-built platform for seamless certificate issuance and easy to integrate REST APIs.
-
Flexible configuration options: Supports various Key Usage (KU) and Extended Key Usage (EKU) settings, including ECC certificates for devices with limited resources.
-
Simple lifecycle management: Easily revoke, renew, reissue, or cancel certificates with a click, streamlining certificate management.
-
Cost efficiency: GlobalSign's Managed PKI platform reduces the total cost of ownership by lowering management hours needed and providing volume discounts and flexible payment terms.
-
Security features: Integrates SHA-256 hashing algorithm, offers underwritten warranties, and. provides compatibility with all major browsers and mobile devices.
-
Automated deployments: Supports APIs, Active Directory integration, and ACME protocol to automate certificate provisioning and management.
-
Visibility and compliance: Allows organisations to discover, monitor, and analyse all SSL certificates from one location, ensuring compliance with industry standards and enterprise policies.
-
Support and tools: Provides phone, email, and live chat support, along with a free certificate inventory tool and unlimited reissues.
How to Get an SSL Certificate
To obtain an SSL certificate for your website or organisation, follow these steps:
- Confirm Website Information: Use ICANN Lookup to verify your website's details, ensuring the certificate authority (CA) can validate your domain ownership.
- Generate a Certificate Signing Request (CSR): A CSR is a cryptographic file that hosts your website's details and public key. You can create a CSR using tools provided by your web server or host.
- Submit CSR to a Certificate Authority: Choose a reputable CA like GlobalSign and submit your CSR for validation. The CA will authenticate your domain ownership and issue the SSL certificate.
- Install the Certificate: Once you’ve received the SSL certificate from the CA, install it on your web server. Most web hosts offer a help wizard that will make the installation process easier.
SSL certificate Price
GlobalSign offers 3 levels of validation. Domain Validated (DV) certificates provide essential encryption for websites at $409 AUD per year. They’re issued within minutes, making them a great choice for personal websites or blogs. Additionally, GlobalSign's DV certificates support wildcard functionality and can secure up to 100 Subject Alternative Names (SANs), offering flexibility for users with multiple domains or subdomains.
On the other hand, businesses seeking a higher level of assurance and credibility, GlobalSign provides Organisation Validated (OV) certificates priced at $579 AUD per year. Features include complete business authentication and support for wildcard functionality and up to 100 SANs.
For those prioritising the utmost level of trust and security, GlobalSign offers Extended Validated (EV) certificates at a price point of $989 AUD per year. EV certificates not only display the padlock icon but also prominently showcase the company name in the browser's address bar, signalling the highest level of authentication and trust to users.
EV certificates are suitable for e-commerce platforms, financial institutions, and other entities frequently targeted by phishing attacks. Like the other certificate types, GlobalSign's EV certificates support wildcard functionality and up to 100 SANs, ensuring comprehensive coverage for complex web environments.
Ready to Start Protecting Your Website and Establish Online Trust?
Contact us now to discuss your requirements and explore our diverse range of SSL certificate solutions.