What is an SSL certificate & how does it work

What is an SSL certificate?

SSL (Secure Sockets Layer) is the common name for TLS (Transport Layer Security), a security protocol that enables encrypted communications between two machines. An SSL certificate is a small data file leveraging this security protocol to serve two functions:

1. Authentication – SSL certificates serve as credentials to authenticate the identity of a website. They are issued to a specific domain name and web server after a Certificate Authority, also known as a Certification Authority (CA), performs a strict vetting process on the organization requesting the certificate. Depending on the certificate type, it can provide information about a business or website's identity and authenticate that the website is a legitimate business.
2. Secure data communication - When SSL is installed on a web server, it enables the padlock to appear in the web browser. It activates the HTTPS protocol and creates a secure connection between the server and a browser. It enables use of encryption algorithms to scramble the data in transit into an indecipherable format that can only be read with the proper decryption key.

Web browsers only show the secure indicators for SSL signed by a trusted Certificate Authority, like Sectigo. To become a trusted CA, a company must comply with and perform regular audits for the security and authentication process standards established by the leading browsers and the industry standards body called the CA/Browser Forum. When a trusted CA issues a certificate to an organization, the browser will recognize the certificate as legitimate. The browser lets the user know that the web address is secure, and the user can safely browse the site and enter personal information.

How do SSL certificates work?

All digital certificates are examples of Public Key Interchange, or PKI. At its most basic, PKI depends on a pair of interdependent keys, a public key and a private key. The public key is used to encrypt information, and the private key is used to decipher it. SSL works by making the public key available through the publicly accessible website. In contrast, the private key remains secured on the web server so that any data submitted from the website where the public key is located can only be deciphered by the site owner, creating a secure 1:1 communication.

When a person visits a site with an SSL certificate, a "handshake" occurs to create a secure channel between the user and the organization and protect any data submitted on the website from being compromised. Here's how the handshake process works in real-time:

1. A client system such as a popular web browser connects to a server secured with an SSL/TLS certificate.
2. The browser sends a request to the server to identify itself.
3. The server sends back a copy of its SSL certificate, including type, validity period, and organizational details.
4. The browser checks whether it trusts the certificate and sends an approval back to the server. If the certificate is not installed, not up-to-date with the proper security protocols, or not issued by a CA trusted by the browser, the user will see a warning message in the browser's address bar.
5. The server sends back a digitally signed acknowledgment to start an SSL encrypted session.
6. Any data shared between the browser and the server is now secure. If a hacker intercepts the communication, it will remain encrypted with a cryptographic code that cannot be decrypted.

What is the difference between SSL vs TLS?

TLS is an updated version of SSL that provides advanced encryption options, however the two acronyms are often referred to as having the same meaning.

Secure Sockets Layer (SSL) was the name of the first cryptographic protocol established to ensure the identity of a server connected across the open internet. This protocol was created in 1995 to enable e-commerce on the web. SSL 2.0 was the first version of the protocol to be used in production systems, and it was soon superseded by SSL 3.0. After version 3.0, standards bodies superseded SSL with a more advanced protocol called Transport Layer Security (TLS). However, by that point the term SSL was in common parlance, and so it continues to persist as the de facto name for TLS.

Although certificates do not themselves perform encryption, standards-based client and server software require the presence of one for encryption to take place. This requirement is in recognition of the fact that without a reliable identity for the party on the other side of a connection, encryption itself offers no protection. Today’s options for encrypting a TLS session include RSA (Rivest-Shamir-Adleman), ECC (Elliptic Curve Cryptography), and DSA (Digital Signature Algorithm).

What are the different types of SSL certificates?

There are different types of TLS certificates available, including:

• Domain Validation (DV) - easiest and most cost-effective way to receive industry-standard encryption
  
• Organization Validation (OV) - a step up from DV where an organization must be a legally registered business and prove they own the domain
• Extended Validation (EV) - industry standard for business websites which provide the highest level of trust

Other variations of certificates include Wildcard SSL certificates (for a main domain and its subdomains), Single Domain (for a main domain and a single subdomain), and Multi-Domain (used to secure multiple domains).

How are they used?

SSL certificates are an essential part of any website’s cybersecurity measures. Millions of websites use SSL to secure browsing on their websites. Not only does enabling HTTPS on all websites provide consumers trust that the website is legitimate and is safe to browse or transact on, but it has also been mandated by the leading browsers such as Google Chrome. Sites without a certificate will display a ''Not Secure'' warning in the address bar.

The growth of global websites, mobile, and internet-connected devices has also expanded the use well beyond just e-commerce. Anyone who needs to share data between devices over the internet securely requires an SSL certificate. It is most commonly used to secure:

• Online credit card transactions
• Web forms and customer logins
• Email and webmail applications
• Corporate communications through intranets, file sharing, extranets, and internal servers
• Cloud-based platforms and virtualized applications
• File transfers over FTP
• Data transfer to and from mobile devices

If a website URL starts with HTTPS:// and there is a padlock icon in the address bar, then the website is using a secure TLS/SSL connection.

What are the benefits?

The primary importance of installing an SSL certificate is to initiate a secure session between a web server and a browser. Once a secure connection is established, all information passed between the web server and the visitor will be kept private and encrypted

Other SSL advantages:

• Increases customer’s trust. The padlock assures customers that their information will not be compromised. The data will be sent to the intended target servers, and it will not be redirected to unauthorized third parties.
• Protects sensitive information against phishing attacks. Phishing sites are fraudulent copies of famous websites whose purpose is to trick you into submitting valuable information like your credit card or social security numbers. Extended validation certificates protect you against phishing attacks by showing the full business name of the website owner in the address bar. Phishing site operators cannot obtain an EV certificate due to the extensive validation requirements.
• Better search engine rankings. HTTPS is considered as a ranking signal by one of the biggest search engines in the world, Google.

How to install an SSL certificate

There are 3 simple steps for installing an SSL certificate on a website:

1. Purchase a certificate issued by a trusted CA - Trusted certificates can be bought from your web-host or direct from a trusted CA. Certificates from a trusted CA will be recognized by all popular internet browsers used by your visitors (Chrome, Firefox, Internet Explorer, Safari, etc).
2. Activate and install the certificate - If you bought your certificate from your web-host then they can do this step for you. If you are managing the site yourself then the two steps you need to complete are to generate a certificate signing request (CSR) and then to install your certificate. We have a range of documents to help complete both tasks on different web server software in our knowledge base.
3. Convert your whole site to HTTPS - After installing your certificate on your target pages, modify your site so that all content is served securely.

Next steps

If you need more information on how SSL certificates work or choosing the right one for your website, contact Sectigo.

Want to learn more? Get in touch to book a demo of Sectigo Certificate Manager!

Related posts:

The evolving SSL/TLS certificate lifecycle & how to manage the changes

7 reasons to shorten SSL certificate validity periods

SSL certificate FAQs: Your comprehensive guide from basics to advanced principles