What is an SSL certificate and why is it important?

What is an SSL certificate?

SSL (Secure Sockets Layer) certificates, also known as HTTPS certificates, are digital credentials installed by website administrators to verify a site’s legitimacy and allow visitors to connect securely. When a site has an active SSL or TLS certificate, you’ll typically see a padlock icon in the address bar, signaling that the site is trustworthy — think of it as a secure website badge.

Besides being a sign of safety, SSL certificates also enable an encrypted HTTPS connection between the website’s server and end-user browsers. This protects sensitive information, like login details, credit card numbers, and personal data, from being intercepted or stolen during transmission.

SSL certificate files contain the following data:

• Domain name: The URL of the site the SSL certificate secures.
• Registrant information: The name of the person, company, or device to which the SSL certificate was issued.
• Unique serial number: A distinct ID that confirms the certificate's authenticity.
• Certificate authority (CA): The trusted third party that issued and verified the SSL certificate.
• Validity period: The issue and expiration dates for the certificate.
• Public server key: A cryptographic key used to encrypt data that only the paired private key can decrypt.

SSL (Secure Sockets Layer) was the original protocol for securing online communications, verifying server identities, and encrypting data. But due to significant flaws, it was replaced by TLS (Transport Layer Security) — a more secure and reliable successor.

Developed by the Internet Engineering Task Force (IETF) in the 1990s, TLS addressed critical weaknesses in SSL’s cryptography and design. Even so, SSL continued to be used for years as browsers and servers gradually transitioned.

In 2015, SSL was officially sunset after Google researchers uncovered the POODLE vulnerability, which allowed attackers to decrypt supposedly secure information.

Even though the outdated name remains in common usage, all modern “SSL certificates” used to enable encrypted HTTPS connections are actually TLS certificates.

How SSL certificates work

Within a few milliseconds of visiting a website with an SSL certificate, the SSL/TLS handshake process begins. During the handshake, SSL certificates are presented and verified, the web browser authenticates the server’s identity, and a secure communication channel is established.

Here’s how it works:

1. Your browser requests a secure connection by reaching out to the website’s server for encrypted content.
2. The server responds with its SSL/TLS certificate and public key.
3. Your browser verifies the certificate’s digital signature to ensure it’s valid and issued by a trusted CA. If it checks out, you’ll see a padlock icon and the “HTTPS” prefix in the address bar.
4. Your browser generates a session key (a temporary key for encrypting data during a browsing session) and encrypts it with the server’s public key.
5. Your browser then transfers the encrypted session key to the site’s server.
6. The server decrypts the session key with its private key, establishing a secure, encrypted session between your browser and the website.

As long as the connection is in place, the browser and server share secure data back and forth using the secret decryption key.

Why websites need SSL certificates

If you’re a business owner or manage your organization’s website, having an SSL certificate is essential. It activates HTTPS, which encrypts the data exchanged between your site and its visitors, making it unreadable to unauthorized parties. This not only helps protect sensitive information from interception or tampering, but also signals to users that your site is legitimate and secure.

While SSL alone can’t prevent every cyberattack, it’s an essential foundation for secure communication and a must-have for any legitimate, security-conscious website. Without it, user data travels unprotected, exposing visitors to man-in-the-middle attacks and other online threats.

How to tell if a site has an SSL certificate

Sites with valid SSL certificates start with the HTTPS prefix and show a padlock icon in the web browser’s address bar. If you visit a site without an SSL cert, you may get a “Your connection is not private” or “Not secure” warning, see an HTTP prefix instead of HTTPS, or notice that the padlock icon is missing from your web browser’s address bar.

Types of SSLs

There are three main types of SSL certificates: Extended Validation, Organization Validation, and Domain Validation. Each uniquely contributes to verification, requires different information to do its job, and offers varying degrees of trust and validation. Information-heavy certificates are more trustworthy because of the depth of information required to obtain one.

There are also a few variants that exist as subtypes within these SSL types, including Wildcard, MD/SAN, and UCC.

Extended Validation certificates (EV SSL)

EV SSLs are the most extensively vetted and checked of all SSL certificates. For a website to get an EV SSL, it must complete a 16-step process verifying details about the site’s ownership. Some of these details include confirmation of:

• Domain
• Website owner
• Applicant’s physical address
• Legal right to conduct business

These SSLs are usually used by large companies and any institutions that need to demonstrate the highest level of trustworthiness to the public, including banks and payment processors. When you visit one of these sites, an EV SSL shows that the domain owner has taken significant steps to keep your data private.

Organization Validated certificates (OV SSL)

Getting an OV SSL is easier than applying for an EV SSL. For a certificate authority to issue an OV SSL, it performs only a basic review of an entity. They check that the organization or business exists and that the entity applying for the certificate owns the domain name.

The most common uses for OV SSLs are for sites that need security but aren’t public-facing. For example, an OV SSL would be a good fit for a company that needs secure login pages for internal systems or as security for intranets.

Domain Validated certificates (DV SSL)

A DV SSL is the most basic type of SSL certificate. It provides the same level of encryption as EV and OV certificates, but it’s issued much faster — typically within minutes — because the certificate authority only verifies that the applicant controls the domain.

While DV SSLs do encrypt in-transit data, they’re generally considered less trustworthy overall. That’s because attackers can easily obtain them to create scam or phishing sites that appear genuine at a glance.

These SSLs are best suited for small business websites, personal sites, and blogs that want to enable people to visit safely but don’t require high levels of user trust or identity validation.

Wildcard SSL certificates

Wildcard SSLs cover a website’s subdomains without requiring individual SSL certificates for each one. The certificate uses a character (usually an asterisk) as a stand-in for multiple other characters (usually the names of other pages or subdomains). Wildcards are available in both DV and OV SSLs.

Wildcard certificates are useful for entities with multiple subdomains on the same server. They are more affordable than buying a certificate for each subdomain and allow you to add and remove subdomains over time.

Multi-Domain SSL certificates (MDC)

MD or SAN (Multi-Domain or Subject Alternative Name) SSL certificates certify multiple domains and subdomains with a single certificate. An MD or SAN SSL is the fastest and simplest way to secure all those domains for companies or organizations with many different domains.

Most of these certificates can be used for up to 250 different domains simultaneously. These certificates are available as EV, OV, and DV SSLs.

Unified Communications Certificates (UCC)

UCCs are a type of SAN certificate that allows multiple domains and subdomains across three or more servers to be secured under one certificate. UCCs also have the added feature of being used specifically to secure Microsoft Exchange, Live, and communication server types. They’re available as EV, OV, or DV SSLs.

UCCs make SSL certificate management easier for large organizations with multiple domains and subdomains across several servers, as well as organizations with Microsoft Exchange servers.

How to get an SSL certificate

If you own a website, you’re probably wondering how to take advantage of the added trust of an SSL certificate. Keep reading to learn how to get one for your site.

1. Generate a Certificate Signing Request: Unless your hosting provider or a plugin automates the process, you’ll need to generate a CSR before you can get an SSL certificate. This file contains your public key and information about your website and organization, all of which will be included in your SSL certificate.
2. Confirm what you need to have: Each certificate authority has different requirements, but you’ll almost always need to prove domain ownership and confirm that you’re authorized to request the certificate. Higher-validation SSLs (like OV or EV) require additional documentation to verify your organization’s identity and legal status.
3. Choose where to get your SSL certificate: Dozens of CAs issue SSL certificates, so pick one that aligns with your needs. Look for a provider that offers the right type of certificate, meets current industry standards, offers responsive customer support, and provides transparent pricing.
4. Consider the cost of an SSL: While many SSL certificates come with a fee, there are free alternatives available for personal or small-scale sites. These are usually limited to DV certificates and may not support multi-domain use or carry the same level of trust for larger organizations.
5. Stay on top of SSL certificate renewal: Most SSL certificates last for one year, but some CAs offer multi-year coverage. If your certificate expires, your site could be flagged as “Not Secure,” potentially deterring users, damaging your brand, and resulting in lost revenue and credibility. Set renewal reminders and monitor your certificate status closely.

Get extra online browsing protection

Even on supposedly secure HTTPS sites, scammers and hackers may be lurking, and your data can still be intercepted on an unsecured network. Norton 360 Deluxe includes a powerful VPN to encrypt all the internet data you send and receive, plus award-winning anti-malware and AI-powered scam detection to help block malicious websites, phishing links, and other online threats before they reach you.

FAQs

What is a certificate authority?

A certificate authority (CA) is the organization that issues SSL certificates. Its job is to verify the identity of site owners with certificates and then store and sign these certificates. CAs must meet strict guidelines in order for their certificates to be trusted by devices, operating systems, and browsers.

What is a public/private key pair?

Public and private key pairs work together to enable secure, encrypted communication between a server and a browser. The public key — included in the SSL certificate — is freely available to anyone visiting the site and is used to encrypt data sent to the server. The private key, held securely by the server, is used to decrypt that data once a secure connection is established.

How do I fix an SSL certificate error?

As a site user, you might notice SSL certificate errors like “Your connection is not private” or “NET::ERR_CERT_COMMON_NAME_INVALID”; fix these by checking your device’s date and time, clearing your browser’s cache and cookies, or trying a different browser.

What is Norton Secure Seal?

The Norton Secure Seal was a trust badge that website owners could display to show their site had passed a thorough security scan and met Norton’s rigorous safety standards. It signaled to visitors that the site was actively monitored for threats like malware, vulnerabilities, and phishing, helping build confidence that the site was safe to use.