SSL is the acronym for Secure Sockets Layer and is the Internet standard security technology used to establish an encrypted (or safe) link between a web server (website) and your browser (i.e. Internet Explorer, Chrome, Firefox, etc…). This secured link ensures that the data/information that is passed from your web browser to the web server remain private; meaning safe from hackers or anyone trying to spy/steal that info. SSL is the industry standard and is used by millions of websites to protect and secure any sensitive or private data that is sent through their website.
One of the most common things SSL is used for is protecting a customer during an online transaction. To establish a secured SSL connection on a web server it requires an SSL Certificate to be properly installed.
When completing the process to activate SSL on your web server you will be asked to complete a number of questions to verify the identity of your domain and your company.
Once properly completed, your web server will create 2 types of cryptographic keys – one is called a Private Key and the other is called the Public Key. The Public Key isn’t a secret and it’s placed into something called a Certificate Signing Request or most commonly referred to as the CSR. The CSR is a file that contains all the data of your details. Once this CSR is generated, you can begin the SSL application process.
During this process, the Certification Authority (CA) will go through the validation process to verify your submitted details and then once verified will issue an SSL Certificate with your details and allow you to use SSL. Your web server will automatically match the CA issued SSL Certificate to your Private Key. This means you are now ready to establish an encrypted and secure link between your website and your customer's web browser.
SSL protocol is complex, but the complexities always remain invisible to your customers. Instead the browser they are using provides them with a key indicator letting them know that their session is currently protected by an SSL encryption – sometimes it is the lock icon in the lower right-hand corner, or the addition of an “s” in https rather than just http, on high-end SSL Certificates, a key indicator is the green bar in the browser. Clicking on the indicators will display all the details about it. All trusted Certification Authorities issue SSL Certificates to either legit companies or legally accountable individuals.
Generally speaking, SSL Certificates include and display (at least one or all) your domain name, your company name, your address, your city, your state and your country. It also always has an expiration date of that particular certificate and of course the details of the Certification Authority responsible for issuing the certificate.
Browser connect to a secured site and then retrieves the site's SSL Certificate and first makes sure that it has not expired, then it checks to see if it was issued by a known Certification Authority that the browser trusts, and then that it is actually being used by the website that is was actually issued to.
If any one of these parameters does not check out properly, the browser will display a warning to the user to let them know that this site is not secure by SSL. It says to leave or proceed with extreme caution. That is the last thing you would want to say to your potential customer. That is why SSL is of high importance to any successful company doing business on the web.
The number of businesses that use SSL have increased tremendously over the past few years and the reasons for which SSL is used has also increased, for example:
As the reasons companies use for SSL have become wider, three different types of SSL Certificates have been established:
Extended Validation (EV) SSL Certificates are issued only when a Certification Authority (CA) checks to make sure that the applicant actually has the right to the specific domain name plus the CA conducts a very THOROUGH vetting (investigation) of the organization. The issuance process of EV Certificates is standardized and is strictly outlined in the EV Guidelines, which was created at the CA/Browser Forum in 2007, specifies the required steps that a CA must do before issuing an EV certificate:
EV Certificates are used for all types of businesses, including government entities and both incorporated & unincorporated businesses. Takes about 10 days to issue.
A second set of guidelines are for the actual CA and it establishes the criteria to which a CA needs to be audited before being allowed to issue an EV Certificate. It is called, the EV Audit Guidelines, and they are always done every year to ensure the integrity of the issuance process.
Organization Validation (OV) SSL Certificates are issued only when a Certification Authority (CA) checks to make sure that the applicant actually has the right to the specific domain name plus the CA does some vetting (investigation) of the said organization. This additional vetted company info is displayed to customers when the Secure Site Seal is clicked on, this gives enhanced visibility to who is behind the site which in turn gives enhanced trust in the site. Takes about 2 days to issue.
Domain Validation (DV) SSL Certificates are issued when the CA checks to make sure that the applicant actually has the right to the specific domain name. No company identity information is vetted and no information is displayed other than encryption information within the Secure Site Seal. DV certs can be issued immediately.
A Domain Validated (DV) SSL certificate is a quick and easy way to secure a domain, as the Certificate Authority (CA) issuing the certificate only requires verification that the recipient actually owns the domain they wish to cover.
This verification process can typically be completed in a matter of minutes. However, these certificates offer little in the way of SSL recognition, so they are recommended for websites where visitor trust is not of high importance and information like usernames, passwords, or credit card information is not required.
You do not need to provide any documentation in order to purchase a Domain Validated (DV) certificate. All you will need to do is confirm that you own the domain you wish to cover, either through a simple email or file-based authentication.
An Organization Validated (OV) SSL certificate requires that a business complete a light vetting process by the Certificate Authority before being issued.
These certificates are a nice middle-ground between DV and EV certificates, as they aren't as expensive as EV options but still offer more SSL and trust indications than basic between DV and EV certificates.
These certificates typically take between 2-3 days to be issued.
Organization Validated (OV) verification requires checking your business registration. If the Certificate Authority (CA) can verify this information using online government databases, no additional documents will be required. However, if the online filings are not available or inaccurate or not up to date, the CA may request additional official government registration documents, which vary on a case-by-case basis. A Dun & Bradstreet listing can usually satisfy most of the requirements for an OV certificate. Usually Takes 2-3 Days.
EV stands for Extended Validation and is the most premium type of SSL certificate available. These certificates are identified on websites mainly by the green address bar, the most universally recognized symbol of trust on the web.
EV certificates are becoming more and more commonplace in the industry, especially amongst ecommerce sites, as they are used by some of the most trusted sites in the world like Bank of America, Twitter, Paypal, and more.
These certificates require that a company complete a thorough vetting process before being issued.
EV certificates require a more stringent verification process than OV certificates. To understand the basis of this procedure, please refer to the above question about OV certificate verification. Please note that EV certificates require you to complete a few extra steps, including proving both physical and operational existence as well as completing a simple telephone call with the Certificate Authority (CA) directly. Usually Takes 3-5 Days.
Wildcard SSL certificates can cover one main domain name (www.domain.com) and an unlimited amount of subdomains (mail.domain.com, login.domain.com, test.domain.com, etc.).
Multi-domain or SAN (Secure Alternate Name) SSL certificates can cover multiple domain names on just one certificate. For example, Symantec and Thawte multi-domain certificates can cover up to 250 domains, whereas Comodo certificates can cover up to 250 domains with just a single SSL certificate. GeoTrust multi-domain certificates can cover anywhere from 25 to 250 domains, depending on the type of certificate you order.
Wildcard SSL certificates can cover one main domain (www.domain.com) and an unlimited amount of subdomains (mail.domain.com, login.domain.com, test.domain.com, etc.). Multi-domain (SAN) SSL certificates can cover multiple domains on just one certificate. For example, Symantec and Thawte multi-domain certificates can cover up to 250 domains, whereas Comodo certificates can cover up to 250 domains with just a single SSL certificate. GeoTrust multi-domain certificates can cover anywhere from 25 to 250 domains, depending on the type of certificate you order.