Definition: What Is an SSL Certificate?
An SSL certificate is a digital certificate that provides authentication for a website. SSL stands for Secure Sockets Layers, a standard technology protocol that enables an encrypted connection between a web server and a web browser.
In other words, the SSL certificate is used to ensure internet security by preventing any third party with malicious intent from intercepting, reading, or modifying any information transmitted.
A perfect use case for using SSL certificates is an online store. Usually, they have a lot of transactions containing personally identifiable information and credit card information. Without SSL certificates, this sensitive data would be exposed to a third party.
What Information Does a Certificate Contain?
An SSL certificate contains different identity information per the X.509 standard, which is typically what all TLS/SSL certificates use. The certificate will include the following data:
- Serial Number: Used to uniquely identify the certificate.
- Subject: The person or entity identified.
- Signature Algorithm: The algorithm used to create the signature.
- Signature: The actual signature to verify that it came from the issuer.
- Issuer: The entity that verified the information and issued the certificate.
- Valid-From: The issue date of the certificate.
- Valid-To: The SSL certificate expiration date.
- Key-Usage: Purpose of the public key (e.g., encipherment, signature, certificate signing).
- Public Key: The public key.
- Thumbprint Algorithm: The algorithm used to hash the public key certificate.
- Thumbprint (also known as fingerprint): The hash itself, used as an abbreviated form of the public key certificate.
Why Do You Need an SSL Certificate for Your Website?
You need an SSL certificate to verify the ownership of your website and prevent attacks from creating a copy of your website. More importantly, it conveys trust to your users.
Using an SSL certificate will help you secure critical components of your website, such as:
- Authentication information
- Payment information such as credit card details
- PPI (personally identifiable information)
- Legal and medical documents
For business SSL certificates are a must-have since it’s the only way for them to have an HTTPS address. Modern websites will tag websites that do not have an SSL certificate as being “Not Safe” which can be very detrimental to their business so having HTTPS in the address is a must.
Types of SSL Certificates
There are several types of SSL certificates but these are the most important six ones:
Extended Validation Certificates (EV SSL)
This is perhaps the best type of SSL certificate you can get. Although it is pricey, it’s the most common one you find on high-profile websites, especially since they deal with personally identifiable information and credit card details. You can tell if a website has an EV SSL by looking at the padlock in the address bar since it will display the owners’ information there.
Getting an EV SSL certificate usually involves going through an ID verification process to confirm the ownership of the domain or if they are authorized legally to use said domain name.
Organization Validated Certificates (OV SSL)
Like the EV SSL, the OV SSL certificate provides the same level of security as it has the owner has to go through a similar vetting process to obtain it. The main difference between the two is the price standpoint as OVS SSL tends to be less expensive since it usually deals with only personal information.
Domain Validated Certificates (DV SSL)
These are easier to get than the OV SSL or the more expensive EV SSL since it doesn’t require a detailed vetting process, nor is it expensive. These are the most common ones that you see on personal blogs, simple websites. In short, a DV SSL certificate can be used wherever there’s no data transfer between the user and the website. These certificates do not display any information about the owner in the address bar but do display an HTTPS padlock symbol.
Wildcard SSL Certificates
These SSL certificates are fairly common and easy to use since they allow you to secure a base domain such as https://greatcars.com/, as well as any subdomains you might have such as https://blog.greatcars.com/ or https://payment.greatcars.com/.
Multi-Domain SSL Certificates (MDC)
MDC certificates can be used to secure multiple domains and subdomains at once. The only caveat is that the user has to declare each domain and subdomain including domains that use www. and those that don’t. E.g: the user would have to secure www.greatcar.com as well as greatcars.com.
Unified Communications Certificates (UCC)
UCC are also considered Multi-domain SSL certificates (MDC). While they were once used to secure Microsoft Exchange and Live Com Servers, any website can now use these certificates to secure multiple domains under one certificate.
UCC certificates are validated by the same organization. They can be used as an EV SSL to display the green padlock in the address bar, thus ensuring a greater level of trust.
How to Get a Certificate
SSL certificates are issued by a Certificate Authority (CA). These CAs can either provide certificates for free or charge upwards of 500 USD for each certificate, depending on the level of security these will provide.
Once you’ve selected the SSL certificate you want, you will have to install the certificate on your server. More often than not, this is not a simple task but it depends on the provider.
How SSL Works
Once you install an SSL certificate, you’ll immediately see that your URL will be accessible through HTTPS instead of HTTP. Although this process can be simple, oftentimes you’ll have to double-check every resource you are loading to your page to ensure that you aren’t requesting anything over HTTP.
SSL works by adding an extra level of security to the communication by using a handshake. The SSL handshake is a type of encrypted communication between the web server and the browser that allows the public key to be sent and verified.
The public and private keys used for SSL are long strings of characters that used to encrypt and decrypt data going back and forth between the server and client. The certificate itself will use the public key to get the information from the server while the private key, which is kept in a secure location, will be used to validate the request, allowing the server to respond to the request.
The SSL certificate validation process between a web server and a browser works like this:
- The browser (or client) sends a message which includes the client’s SSL certificate version number, cipher settings, session-specific data, and other information that the server needs to allow an encrypted session.
- The server then proceeds to respond with a “server hello” message. This includes the server’s SSL version number, cipher settings, session-specific data, an SSL certificate with a public key, and other information that the client needs to communicate with the server over SSL.
- The browser checks the server’s SSL certificate from the Certificate Authority and authenticates the server. If the authentication fails, then the client refuses the SSL connection and throws an error. (Sematext) If the authentication succeeds, the process advances to step 4.
- The client creates a session key, encrypts it with the server’s public key, and sends it to the server. If the server has requested client authentication, the client sends its own SSL certificate to the server.
- The server decrypts the session key with its private key and sends the acknowledgment to the client encrypted with the session key.
How to Tell If a Website Has an SSL Certificate
The easiest way to tell if a connection is secure is to look for the HTTPS icon next to the address bar of your favorite browser. You can also check if there’s an HTTPS instead of HTTP in front of the domain name. If it’s there (and usually green) that means that the website connection is secure.
If you can’t see it, or if it’s red, it means that the certificate is invalid, expired, or has an error.
SSL Certificate Errors
An SSL certificate error occurs when the browser cannot verify the SSL certificates returned by the web server. If this occurs, the browser will block the website from exchanging any information and display an error like the one below:
The most common SSL certificate errors are:
- An intermediate SSL certificate is missing. This is usually the result of a poor certificate installation or website administrator mismanagement.
- The website has a self-signed certificate. While this is an acceptable common practice in development environments, these self-signed certificates can’t work on commercial projects.
- A mix of HTTP and HTTPS requests. Even if the certificate is valid, the website might still throw an error if there’s an unsecured HTTP request in the code.
- SSL certificate name mismatch error. While the certificate should match the domain, there are cases where certain certificates need to be issued for both domains – those that include www. and those that don’t.
What Happens When an SSL Certificate Expires or Is Invalid?
If the certificate is invalid or has expired, the browser will most likely display an error message (similar to the one displayed above), as well as having the HTTPS text crossed out in the address bar.
How to Ensure Website Security: Monitoring SSL Certificates
Keeping an eye out on your SSL certificates is always a good thing as having an unsecured website can result in a perceived lack of trustworthiness from its users. Not to mention the penalties you’d get as far as SEO goes since most search engines use whether or not a website has a security certificate as criteria in their search ranking algorithm.
While checking if a website has a valid SSL certificate is rather simple, monitoring is a bit different – you have to use a third-party tool to monitor your website security certificate.
There are many SSL monitoring tools available, but you’ll want to get one such as Sematext Synthetics, which alerts you whenever the certificate fails regardless of the reason. This allows you to make sure you never get a penalty for not having a valid certificate and that any third-party solutions you might use will continue to function properly.
SSL Certificate Monitoring with Sematext
Sematext Synthetics is a solution that allows you to monitor your websites’ performance, APIs, SLAs, SSL certificates, and much more.
Sematext Synthetics’ Browser monitor performs the following SSL certificate checks on all the certificates in the chain – the leaf, intermediate, and root certificates.
- Certificate Validation – Check the validity of the SSL certificates of your websites. The monitor uses an actual Google Chrome browser to load your websites like your user. This will catch all the errors mentioned above and will alert you immediately before your end-user sees it.
- Certificate Expiry – Check the expiry date of all your certificates every day and alert you 28, 14, 7, and 3 days before they expire.
- Certificate Change – Check for certificate change every 10 minutes and alert you on detecting any changes, with a detailed change report.
Sematext Synthetics has a 14-day free trial where you can test all the features without having to commit to anything.