ATTENTION: Comodo CA is currently experiencing issues internally that is delaying order issuance after completing DV, OV, or EV validation. You can rest assured Comodo Engineers are actively working on resolving this high priority issue. If you encounter any problems or delays with orders placed between September 21st, 2017 and September 22nd, 2017, contact support or your account manager with any questions or concerns.

ComodoSSLstore Loading
Partner Program


SSL Certificate Security Glossary

128 bit SSL

128 bit SSL is also referred to as strong SSL security. The 128 bit tells users that the size of the encryption key used to encrypt the data being passed between a web browser and web server is 128 bits in size (mathematically this would be 2 to the power of 128). Because the size of the 128 bit key is large it is computationally unfeasible to crack and hence is known as strong SSL security.

Most web servers and web browsers support 128 bit SSL. However some versions outside of the US will only support 40 bit SSL and should be upgraded.


The act of determining that a message has not been changed since leaving its point of origin. Authentication, secure authentication or secure SSL authentication of a user, is usually derived from something that the user understands, is or has. Many SSL Authentication Systems Which Provide SSL Internet Security and Online Payment System Security Are Now Shifting Toward Public Key Encryption.

Authentication Header

An Internet IPsec protocol, A field that immediately follows the IP header in an IP datagram and provides authentication and integrity checking for the datagram. Also protection against replay attacks; it secures authentication like secure SSL digital ID validation.

Authentication Token

A portable device used for authenticating a user. Authentication tokens operate by challenge/response, time-based code sequences, or other techniques. This may include paper-based lists of one-time passwords.


A record containing information that can be shown to have been recently generated using the session key known only by the client and server.


SSL Certificate security must be genuine and verifiable. In SSL Internet security and network security, it is imperative that authenticity is not assumed.


A technology that makes it possible to identify who published a piece of software and to verify that it has not been tampered with. It also confirms that the digital certificate used to sign the code was issued by the certificate authority originally.


Giving access or other rights to a user, process or program that has been authorized.


A file that attests to the identity of an organization or web browser user and is used to verify that data being exchanged over a network is from the intended source. The certificate is digitally signed either by a Certificate Authority or is self-signed. There are CA certificates, client CA certificates, client certificates, and server certificates

Certificate Revocation List

A list maintained by the Certificate Authority of all certificates that are revoked, but not expired. A certificate may be revoked because the user's private key is assumed to be compromised, the user is no longer certified by this Certificate Authority, or the Certificate Authorities private key is assumed to be compromised.


The complete assessment of the technical and nontechnical security functions of a system and other safeguards that are made for the accreditation process, which establishes the degree to which a particular plan and implementation meet a certain set of security conditions.

Certification Authority (CA)

A third party organization which is used to confirm the relationship between a party to the https transaction and that party's public key. Certification authorities may be widely known and trusted institutions for internet based transactions, though where https is used on companies internal networks, an internal department within the company may fulfill this role.

CPS (Certification Practice Statement)

CPS is short for Certification Practice Statement. The CPS is a document published by the Certification Authority and outlines the practices and policies employed by the organization in issuing, managing and revoking digital certificates.

CRL (Certificate Revocation List)

CRL is short for Certificate Revocation List. The CRL is a digitally signed data file containing details of each digital certificate that has been revoked. The CRL can be downloaded and installed into a user's browser and ensures that the browser will not trust a revoked digital certificate.

CSR (Certificate Signing Request)

CSR is short for Certificate Signing Request. When applying for a SSL certificate the first stage is to create a CSR on your web server. This involves telling your web server some details about your site and your organization; it will then output a CSR file. This file will be needed when you apply for your SSL certificate. Instructions on how to create a CSR with all popular web server software are available here.

Digital Signature

A digital signature (not to be confused with a digital certificate) is an electronic rather than a written signature. It can be used with any kind of message, whether it is encrypted or not, simply so that the receiver can be sure of the sender's identity and that the message arrived intact. A digital certificate contains the digital signature of the certificate-issuing authority so that anyone can verify that the certificate is real. Additional benefits to the use of a digital signature are that it is easily transportable, cannot be easily repudiated, cannot be imitated by someone else, and can be automatically time-stamped.

Digital Signature Algorithm (DSA)

An algorithm for producing digital signatures, developed by NIST and the NSA. To sign a message, Jean uses the DSA Sign Algorithm to encode a digest of the message using her private key. For all practical purposes, there is no way to decrypt this information. However, anyone who receives the message and accompanying digital signature can verify the signature by using the DSA Verify Algorithm to process the following information: the received signature; a digest of the received message; and Jeans public key. If the output of this algorithm matches a certain part of the digital signature, the signature is valid and the message has not changed. In contrast to RSA and other encryption-based signature algorithms, DSA has no ability to encrypt or decrypt information.

Digital Signature Standard (DSS)

A National Institute of Standards and Technology (NIST) standard for digital signatures, used to authenticate both a message and the signer. DSS has a security level comparable to RSA (Rivest-Shamir-Adleman) cryptography, having 1,024-bit keys.


Quite simply, the act of selling over the internet. This can either be Business to Business (B2B) or Business to Consumer (B2C).


Encryption is the process of changing data into a form that can be read only by the intended receiver. To decipher the message, the receiver of the encrypted data must have the proper decryption key. In traditional encryption schemes, the sender and the receiver use the same key to encrypt and decrypt data. Public-key encryption schemes use two keys: a public key, which anyone may use, and a corresponding private key, which is possessed only by the person who created it. With this method, anyone may send a message encrypted with the owner's public key, but only the owner has the private key necessary to decrypt it.


A secured system passing and inspecting traffic via an internal trusted secure server network and an external secure server network that is untrusted, like the Internet. Firewalls can be used to discover, prevent, or mitigate certain kinds of secure server network attack. This provides Internet security and online security.

Host headers SSL

Host headers are used by IIS as a means of serving multiple websites using the same IP address. As a SSL certificate requires a dedicated IP address host headers cannot be used with SSL. When the SSL protocol takes place the host header information is also encrypted - as a result the web server does not know which website to connect to. This is why a dedicated IP address per website must be used.


Browsers can connect to web servers over http and over https. Connecting over https involves you entering https:// before the domain name or URL and, providing the web server has a SSL certificate, the connection will be secured and encrypted.

IIS (Internet Information Services)

IIS is short for Internet Information Services and is Microsoft's popular web server software.


A protected/private character string which is applied to authenticate an identity, which gives secure authentication and secure SSL authentication, sometimes with digital signatures and digital certificates like 128-bit SSL digital certificates. Passwords are for a user's online security or authorization security. Working together are certs and secure email with SSL certificates, all terms related to online security.


Similar to "protocol" in human communication which involves a previously agreed upon set of rules for communicating in diplomatic settings. On the Internet, a protocol is an agreed upon method for sending and receiving information.

Private Key

The key that a user keeps secret in asymmetric encryption. It can encrypt or decrypt data for a single transaction but cannot do both.

Public Key

The key that a user allows the world to know in asymmetric encryption. It can encrypt or decrypt data for a single transaction but cannot do both.

Root Certificate

A self signed certificate issued from a root level Certificate Authority (CA).

Secure Server

A Web server that utilizes security protocols like SSL to encrypt and decrypt data, messages, and online payment gateways to accept credit cards, to protect them against fraud, false identification, or third party tampering. Purchasing from a secure Web server ensures that a user's credit card information or personal information can be encrypted with a secret code that is difficult to break. Popular security protocols include SSL, SHTTP, SSH2, SFTP, PCT, and IPSec.

SSL (Secure Sockets Layer)

SSL is short for Secure Sockets Layer. The SSL protocol was developed by Netscape and is supported by all popular web browsers such as Internet Explorer, Netscape, AOL and Opera. For SSL to work a SSL certificate issued by a Certification Authority must be installed on the web server, SSL can then be used to encrypt the data transmitted (secure SSL transactions) between a browser and web server (and vice versa). Browsers indicate a SSL secured session by changing the http to https and displaying a small padlock. Website visitors can click on the padlock to view the SSL certificate.


The SSL Key, also known as a Private Key, is the secret key associated with your SSL certificate and should reside securely on your web server. When you create a CSR your web server will also create a SSL Key. When your SSL certificate has been issued, you will need to install the SSL certificate onto your web server - which effectively marries the SSL certificate to the SSL key. As the SSL key is only ever used by the web server it is a means of proving that the web server can legitimately use the SSL certificate.

If you do not have, or lose either the SSL Key or the SSL certificate then you will no longer be able to use SSL on your web server.

SSL handshake

The SSL handshake is the term given to the process of the browser and web server setting up a SSL session. The SSL handshake involves the browser receiving the SSL certificate and then sending "challenge" data to the web server in order to cryptographically prove whether the web server holds the SSL key associated with the SSL certificate. If the cryptographic challenge is successful then the SSL handshake has completed and the web server will hold a SSL session with the web browser. During a SSL session the data transmitted between the web server and web browser will be encrypted. The SSL handshake takes only a fraction of a second to complete.

SSL Port / https Port

A port is the "logical connection place" where a browser will connect to a web server. The SSL port or the https port is the port that you would assign on your web server for SSL traffic. The industry standard port to use is port 443 - most networks and firewalls expect port 443 to be used for SSL. However it is possible to name other SSL ports / https ports to be used if necessary. The standard port used for non-secure http traffic is 80.

SSL Proxy

SSL Proxy allows non-SSL aware applications to be secured by SSL. The SSL Proxy will add SSL support by being plugged into the connection between the browser (or client) and the web server.

SSL Accelerator

Ordinarily the SSL handshake and subsequent encryption of data between a browser and the web server is handled by the web server itself. However for some extremely popular sites, the amount of traffic being served over SSL means that the web server either becomes overloaded or it simply cannot handle the required number of SSL connections. For such sites a SSL Accelerator can help improve the number of concurrent connections and speed of the SSL handshake. SSL Accelerators offer the same support for SSL as web servers.

Shared SSL & Wildcard SSL

It is possible for a web hosting company to share a single SSL certificate - this allows the same SSL certificate to be used by many websites without the need to issue individual SSL certificates to each hosting customer. The recommended way to share SSL is to use a Wildcard SSL certificate. This allows the unlimited use of different sub domains on the same domain name. The Wildcard SSL certificate allows the webhosting company to give each customer a secure sub domain, such as,, etc. The same can be applied for organizations wanting to secure multiple sub domains within the enterprise network.

TLS (Transport Layout Security)

TLS is short for Transport Layer Security. The TLS protocol is designed to one day supersede the SSL protocol, however at present few organizations use it instead of SSL.


The procedure that contrasts two levels of system explicitation for appropriate correspondence.