What is an SSL certificate?

How SSL certificates work

SSL (Secure Sockets Layer), and the upgraded version of this protocol called TLS (Transport Layer Security), is a technology that builds an encrypted connection between a web browser and a server.

You can think of a user and a website as two buildings on opposite sides of a canyon. For the user to get to the website and vice versa, there needs to be a bridge. An SSL certificate is that bridge—it’s safe and allows information to travel securely from one side to the other. 

Within a few milliseconds of visiting a website with an SSL certificate, a number of important processes take place:

• Your browser sends a request to the site’s server asking for secure pages.
• The server transmits the SSL certificate along with a public key. The public key encrypts data and verifies digital signatures.
• Your browser verifies the digital signature’s legitimacy and displays the padlock icon in the address bar.
• Your browser then transfers encrypted data to the site’s server with a secret key.
• Using a private decryption key, the server reads the data and accesses the secret key.
• As long as the connection is in place, the browser and server share secure data back and forth by using the secret decryption key.

If you’re online and visit a site without SSL encryption, you might be warned that “your connection is not private.” That means cybercriminals can intercept anything you share on that site.

Types of SSLs

There are three main types of SSLs: Extended Validation, Organization Validation, and Domain Validation. There are a few variants that exist as subtypes within them, and they include wildcard, MD/SAN, and UCC.

The main differences have to do with what information is needed to secure each type. Extended Validation certificates require the most information, while Domain Validation certificates require the least.

This generally means that the more information-heavy certificates are more trustworthy because of the depth of information required to earn one.

Within these three main types, there are more specialized versions typically designed for enterprises or other large organizations.

Each SSL certificate contains the following information:

• Domain name
• The company, person, or device that owns the certificate
• Subdomain names
• The issuing certificate authority (CA)
• The CA’s digital signature
• Issuance date
• Expiration date
• The public key (the private key is kept a secret)

Extended Validation certificates (EV SSL)

EV SSLs are the most extensively vetted and checked of all SSL certificates. For a website to get an EV SSL, it must complete a 16-step process verifying details about the site's ownership. Some of these details include confirmation of:

• Domain
• Website owner
• Applicant’s physical address
• Legal right to conduct business

These SSLs are usually used by large companies and any institutions that need to demonstrate the highest level of trustworthiness to the public, including banks and payment processors. When you visit one of these sites, an EV SSL shows that the domain owner has taken significant steps to keep your data private.

Organization Validation certificates (OV SSL)

Getting an OV SSL is easier than applying for an EV SSL. For a certificate authority to issue an OV SSL, they perform only a basic review of an entity. They check that the organization or business exists and that the entity applying for the certificate owns the domain name.

The most common uses for OV SSLs are for sites that need security but aren’t public-facing. For example, an OV SSL would be a good fit for a company that needs secure login pages for internal systems or as security for intranets.

Domain Validation certificates (DV SSL)

A DV SSL is the most basic type of SSL certificate. The certificate authority confirms only that the domain is controlled by the person or entity that requested the certificate. A DV SSL can be issued quickly, but it offers the same level of encryption found in EV and OV SSLs. DV SSLs are generally considered the least safe from a cybersecurity standpoint. Because they are relatively easy to obtain and can provide the illusion of security, DV SSLs are sometimes found on unsafe sites.

These SSLs are good for small business websites, personal sites, and blogs because they encrypt traffic and allow people to safely visit without providing identity validation.

Wildcard SSL certificates

Wildcard SSLs cover the subdomains on a website without requiring individual SSL certificates for each one. The certificate uses a character (usually an asterisk) as a stand-in for multiple other characters (usually the names of other pages or subdomains). Wildcards are available in both DV and OV SSLs.

Wildcard certificates are useful for entities with multiple subdomains on the same server. They are more affordable than buying a certificate for each subdomain, and they let you add and remove subdomains over time.

Multi-Domain and Subject Alternative Names SSL certificates (MD/SAN)

MD or SAN SSL certificates certify multiple domains and subdomains with a single certificate. Most of these certificates can be used for up to 250 different domains simultaneously. These certificates are available as EV, OV, and DV SSLs.

For companies or organizations with many different domains, an MD or SAN SSL is the fastest and most simple way to secure all of those domains.

Unified Communications Certificates (UCC)

UCCs are a type of SAN certificate that allows multiple domains and subdomains across three or more servers to be secured under one certificate. UCCs also have the added feature of being used specifically to secure Microsoft Exchange, Live, and communication server types. They’re available as EV, OV, or DV SSLs.

For large organizations with multiple domains and subdomains across several servers, as well as organizations with Microsoft Exchange servers, UCCs make for easier management of SSL certificates.

Why websites need SSL certificates

Cyberattacks are a surprisingly common threat. Cybersecurity statistics show that more than half of all internet users have directly experienced cybercrime within the last year. That means it’s more important than ever for people to protect their data and find out if the websites they visit are safe.

An SSL certificate is one important brick in the wall of safer browsing because it lets you know that the information you’re sharing on a site is protected by encryption. Without encryption, the data transmitted from a user to a site isn’t protected, opening you up to man-in-the-middle attacks and other kinds of cyberattacks.

If you’re a business owner or responsible for your organization’s website, an SSL provides your customers and other site users with an extra layer of protection and peace of mind. While one of these SSL security certificates isn’t enough to stop or prevent all forms of hacking or theft of information on its own, it’s an important step that can help protect the data and public perception of your organization.

How to get an SSL certificate

If you own a website, you’re probably wondering how to take advantage of the added trust that comes with an SSL certificate. Keep reading to learn how to get one for your site.

1. Confirm the information you need

Every certificate authority has different requirements you’ll need to satisfy before they’ll issue an SSL. With that in mind, there are a few standard bits of information every CA will ask you for, whether you are applying for an EV, OV, or DV SSL, including:

• Proof that you own the domain
• Proof that you’re the person applying for the SSL

As the verification level goes up, you’ll need to provide more information.

2. Choose where to get your SSL certificate

There are dozens of different certificate authorities worldwide that verify and provide website SSLs. When you’re searching for a CA, consider looking for one that:

• Provides the type of SSL you need
• Meets all of the minimum required standards for issuing certificates
• Has a clear pricing structure
• Offers you the customer support you need

3. Consider the cost of an SSL

While most SSL certificates require you to pay a certificate authority, free options are available. Usually, the free SSLs are limited to Domain Validated certificates, meaning they aren’t ideal (or possibly even available) for larger entities or organizations with multiple domains and subdomains.

• If you have a personal website or a simple site for a small business, a free SSL certificate will probably provide you with everything you need.
• For larger businesses or organizations that handle sensitive personal information like financial or medical data, it’s usually a good idea to work with a CA that can issue certificates covering multiple domains or subdomains across one or more servers.

4. Stay on top of SSL certificate renewal

For a small business owner or blogger, it might not be a huge problem if your SSL certificate expires and you forget to renew it for a few days.

But if you’re a big brand that handles tremendous amounts of external or internal traffic every day, a lapsed certificate could cost you a lot of money and damage your reputation. 

Set a reminder in your calendar to renew your SSL certificate on time (or early) and find out if the CA offers automated renewals to avoid becoming an attack surface—a weak point where a hacker could gain entrance to a system.

If you want to ensure you’re browsing and shopping online as safely as possible, get Norton VPN. Our VPN provides bank-grade encryption to help you secure your passwords, financial information, and other data against cybersecurity threats.

FAQs about SSL certificates

Still have questions about SSL certificates? We’ve got answers.

What is a certificate authority?

A certificate authority (CA) is the organization that issues SSL certificates. A CA’s job is to verify the identity of site owners with certificates and then store and sign these certificates. They are required to meet strict guidelines in order for their certificates to be trusted by devices, operating systems, and browsers.

What is a public/private key pair?

Public and private keys give authorized users the ability to send and receive encrypted data.

The public key is generated by the certificate and is available to anyone using a site. The private key is secret and is created by the user’s browser once a connection has been established. As encrypted data is sent between the certificate owner and the user, the data remains unreadable to anyone other than the issuer of the public key and the holder of the private key. 

How long do SSL certificates last?

Most SSL certificates last for one year, but some CAs offer longer coverage, like two to three years.

What are security certificates?

A security certificate, including SSL or TLS certificates, is a small data file that proves the site’s authenticity to a user and creates a secure connection using encryption.

Can an SSL certificate be used on multiple servers?

Yes, with a multi-domain certificate, you can use one SSL on multiple servers. 

What is a CSR?

A certificate signing request (CSR) is an encoded data file that a certificate authority uses to issue an SSL certificate to encode traffic to your site. It contains your domain name, organization name and address, and public key information.