6 SSL Certificate Best Practices to Improve Your Website Security

There’s more to SSL than just installing digital certificates

From “do we even need SSL?” to “we don’t have SSL yet?” — the world of website security has witnessed a dramatic change in the attitude of website owners. An SSL certificate is no longer a luxury for them; it’s an absolute necessity. Regardless of whether your goal is to avoid security warnings displaying in browsers for non-HTTPS sites or to enjoy the SEO advantage given to HTTPS sites, it’s important that you follow SSL certificate best practices.

The rise in the adoption of HTTPS has been massive. Almost 50% of the top one million websites use HTTPS by default (they redirect inquiries of HTTP pages to URLs with HTTPS). Moreover, it’s not just the big-name websites that have migrated to HTTPS; websites or blogs run by individuals, too, have realized the significance an SSL certificate holds on today’s internet.

If you’re a website administrator, chances are that you might already have an SSL certificate. Or, you might be planning to get one. In either case, you must understand that having HTTPS in front of your website name isn’t enough. You must implement it properly by tightening every nut and bolt involved in the process. And adhering to SSL certificate best practices is an important part of that.

Here are the SSL certificate best practices that you must follow so that you don’t leave a single crack for the attackers and make the best of the investment you’ve made by purchasing an SSL certificate:

1. Purchase an SSL Certificate That’s Appropriate for Your Website

Did you know that SSL certificates come in various shapes and sizes in terms of functionality and validation? Primarily, there are three types of SSL certificates — domain validation (DV) SSL certificates, organization validation (OV) SSL certificates, and extended validation (EV) SSL certificates.

Domain validation (DV) certificates are perfect for you if you need encryption and nothing more. They’re usually the least expensive and can be issued within minutes because the validation process is automated.

Organization validation (OV) SSL certificates are mid-level SSL certificates. To obtain an OV SSL certificate, you must be a registered company or organization, and you must undergo light business vetting. This can take up to three business days because certificate authority (CA) has to verify your business information. OV SSL displays the same visual indicators as DV SSL but provides a way for your customers to check your verified business information in the certificate details section.

Extended validation (EV) SSL certificates require extensive business vetting by a reputable certificate authority. This may sound like a lot, but it’s really not if your business has publicly available records. EV SSL activates a unique visual indicator — your verified organization name and address shown in the browser when you click on the padlock icon. These SSL certificates help you assert the most identity to gain customer trust and credibility. If you have a website where establishing credibility is imperative (such as an ecommerce website), these SSL certificates are meant for you. 

2. Purchase an SSL Certificate from a Reputed Certificate Authority

You might purchase the best-in-class SSL certificate, but what if the certificate authority that issued your certificate later gets compromised? What if they make a terrible mistake that puts your website security at risk?

The thing that you need to know about certificate authorities is that they’re not the same. Some are more reputed than the others, for many reasons. This is where the second point on our list of SSL certificate best practices comes into play.

Here’s a little checklist that you should consider before finalizing a certificate authority:

• Security history and reputation
• Services offered
• Popularity
• Support for certificate revocation list (CRL) and online certificate status protocol (OCSP) revocation methods
• Certificate management solutions (for managing certificates in large numbers)
• Help, support when and how you need it
• Positive reviews by customers

3. Properly Configure Your Server

Installing a top-of-the-line SSL certificate and not updating your server for its use is a lot like purchasing a Formula One race car and using it to drive to your office. Okay, that’s a total exaggeration, but you got the point, right? Here’s what you need to configure:

1. Configure to Use Latest Security Protocols

As far as the security protocols are concerned, you must configure your server to use TLS 1.2 and 1.3. Both these protocols embody vast improvements over their predecessors — TLS 1.0 and 1.1. Moreover, all major browsers will be deprecating support for them by the first half of 2020.

2. Configure to Use Secure Cipher Suites

Cipher suites play a significant role in SSL handshake — the process that enables a secure connection between your server and users. If you’re using a cipher suite that’s been deprecated or has been found vulnerable, you’re putting your website security at risk. That’s why using secure cipher suites that support 128-bit (or more) encryption is paramount.

3. Configure to Use 2048-Bit Key Exchange

Diffie-Hellman key exchange (DHE), the most widely adopted key exchange algorithm, was found to be vulnerable in case of lower-strength key exchanges (768-bit and 1024-bit). Not only that, some DH groups were found to be broken by nation state actors. Of course, you don’t want that. Therefore, we recommend deploying DHE with at least 2048-bit security.

4. Protect Your Private Keys

Yes, this general best practice is as obvious as it can be. Some might even call it a cliché, but it’s the most essential SSL certificate best practice you can follow as far as protecting your SSL certificates is concerned. Essentially, the private key is what makes every SSL certificate tick. In layman’s terms, your private key is your certificate. If someone gets hold of your private key, you could be in the middle of a meltdown.

Here are our recommended practices to protect your private key:

• Generate private key on a secure computer
• Protect your private key with a robust password
• Store your private key in a hardware device
• Revoke your certificate immediately if your private key gets compromised
• Generate a new private key whenever you renew your certificate

5. Implement HSTS (HTTP Strict Transport Security)

Almost 50% of the top one million websites redirect users on their HTTPS URLs even if a user requests for an HTTP webpage. That’s because they’ve implemented HSTS (HTTP Strict Transport Security). To implement HSTS, you must add a new response header to your website. Once implemented, it won’t allow your website to make any insecure (HTTP) connection as it converts all plaintext HTTP URLs into HTTPS. 

Here’s the header that you’ll need to add to your website:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

6. Ensure Your Certificates Are Valid Through SSL Certificate Management Best Practices

One thing that many people tend to forget is that SSL/TLS certificates come with a set validity period. This oversight is pretty common, and even big giants such as LinkedIn were found sleeping on the job. Expired SSL certificates can result in site downtime or outages, direct and indirect costs, and reputation damage for your organization.

This is where our certificate validity period best practice can come in handy. Make sure that your SSL certificates are renewed before their certificate validity period ends to avoid downtime and security threats that might arise as a result of the gap in your cyber defenses.