How do SSL Certificates work?

1 Star2 Stars3 Stars4 Stars5 Stars (5 votes, average: 4.20 out of 5)
Loading...

A brief description of what SSL is, what it does and how it works

You may have heard you need an SSL certificate, but you might not be sure what it is or what it does. No problem. We’re here to help you. 

An SSL certificate accomplishes two things. 

  1. Encryption: It enables an encrypted connection between a client (web browser) and a web server (website). It protects the communication between individuals and websites. Without this, the entire data transferred would be out in the open – vulnerable to getting intercepted, stolen, or manipulated. 
  1. Authentication: Authentication is what lets a web browser know that a site is who it says it is. When you visit a website, what is the guarantee that your data is routed to the intended website’s server and not redirected to any other website? An SSL certificate authority verifies the identity of the server before issuing a certificate to the website. The applicant must prove that they control the domain and the public key supplied by them really belongs to the server where the website is hosted.  

Visual Indicators

The SSL certificate enables signs such as a green address bar, a padlock, ‘HTTPS’ prefix, etc. Such signs help you identify if the website you’re on is genuine and secure or not. The nature of such trust signs depend upon the validation level of the SSL certificates and the web browser you are using 

For example, 

Google Chrome and Firefox

Internet Explorer 

What if I don’t have an SSL/TLS certificate on my website? 

All browsers want to protect their users. So, they will show a pesky “Not secure” sign in front of the domain name if the website doesn’t use an SSL certificate. When someone clicks on “Not secure,” they would see an alert message as shown in the example below: 

Website is not secure indicators
A screenshot of a cell phone

Description automatically generated

Types of SSL Certificates

There are mainly three types of SSL certificates – DV, OV, and EV. Let’s understand what these terms mean and what the difference is between them. 

Domain Validation (DV) SSL Certificate: DV SSLs are basic SSL certificates that have a light verification process. For DV SSL, the CA will verify only one thing: whether you control the domain for which you have requested an SSL certificate. They’re the cheapest option (starts from $7.02/year), the easiest to get, and can be issued in minutes. 

Organization Validated (OV) SSL Certificate: An OV SSL certificate has a stricter vetting process than a DV SSL certificate. In this case, along with verifying the domain name, the applicant has to prove that the website belongs to a genuine business. The CA will check the legal registration details, physical address, office phone number, and the business’s existence in online government directories. It takes 1-3 days to complete the verification process. OV SSL certificates start from $27.44/year

Extended Validated (EV) SSL Certificate: For Extended validated SSL certificates, the CA follows a rigorous verification process. Your organization must go through all the domain validation (DV) and organization validation (OV) processes. Plus, your business must be in the market for at least three years and in good standing. Only business organizations are eligible to apply for an EV SSL (not individuals). All websites with EV SSL certificates are rewarded by the browsers by displaying the organization’s legally registered name on the address bar or in the certificate details. EV SSL certificates start from $72.18/year

How Does an SSL Certificate Assign the Keys?

Assigning a unique set of a public key and private key for your domain name is a one-time process. 

  • When you buy an SSL certificate for your domain, you are required to initiate a certificate signing request (CSR) process on your server to generate your website’s public key, and its corresponding private key.  
  • You need to send the CSR code, which includes your public key, to the CA.  
  • The CA will ask you to verify your domain ownership. If you have bought an OV or EV certificate, the verification process would contain more steps and can take 1 to 5 days. 
  • After the successful verification, the CA binds your public key to the hostname i.e., your domain name or IP address with the SSL certificate.  
  • The CA signs this certificate with its own intermediate certificate’s private key. 
  • There is a chain of intermediate root certificates, and the final certificate is signed by the CA’s root certificate’s private keys.  
  • All the browsers have pre-installed root certificates in their root store. 
  • When the SSL handshake process takes place (which we will understand in the next section), the browser verifies the CA’s signature from its root store to know whether the SSL certificate is signed by a legit CA.  

How an SSL Certificate Enables Encryption

When a web browser first accesses a website, the two communicate in what is called the “SSL Handshake.” This is a process where credentials are exchanged, and an encrypted connection is agreed upon. 

Let’s understand the SSL Handshake bit-by-bit. 

  • The browser sends a ClientHello message to the web server. This contains some SSL certificate information.
  • The web server sends a ServerHello message in return. This message also contains similar SSL information.
  • Now the client (browser) verifies the SSL certificate information of the web server.
  • Once the verification is done, a pre-master key is generated by the browser.
  • The server decrypts the pre-master key.
  • Once the pre-master key is decrypted, the master-secret is in place between the server and the client. This master-key is used to encrypt and decrypt the data.

This entire process is called an SSL handshake. After the successful completion of this process, a secure connection is in place between the client and the server. From now on, every bit of data transferred between the browser and server will be encrypted. 

Note here that the browser decides whether it trusts the certificate on the basis of whether or not it was issued by a trusted Certificate Authority and whether its information/signature is up to date. And there you have it. That’s how an SSL Certificate enacts encryption between a browser and a server. 

Comparison of SSL certificates

We have compared the SSL certificates of all three validation types below. 

Validation Level Domain Validated Organization Validated Extended Validated
Organization’s Name On Address Bar or in Browser No No Yes
256-Bit Encryption Yes Yes Yes
2048-Bit Digital Signature Yes Yes Yes
99.9% Browser Compatibility Yes Yes Yes
Unlimited Re-Issuance Yes Yes Yes
Available in Multi-domain Category Yes Yes Yes
Wildcard Availability Yes Yes No
Maximum Issuance Term 5 Years 5 Years 5 Years
Speed of Issuance In minutes 1-3 days 1-5 days
Technical Support 24/7/365 live Customer support via live chat, phone call, and email 24/7/365 live Customer support via live chat, phone call, and email 24/7/365 live Customer support via live chat, phone call, and email
Site Seal Static or Dynamic site seal Dynamic site seal Dynamic site seal
Free Unlimited Server Licenses Yes Yes Yes
Lowest Available Price $7.02/year $27.44/year $72.18/year
SHOP NOW SHOP NOW SHOP NOW
It's only fair to share...Share on Facebook
Facebook
0Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin
Pin on Pinterest
Pinterest
0
}, onInit: function () { fcPreChatform.fcWidgetInit(preChatTemplate); } };