If you’re new to building websites, you may be wondering, “what is an SSL certificate” and “why do I need one.”
To help answer these questions, we’re going to break down these certificates and the potential consequences of not having an SSL certificate or having a misconfigured one.
What is an SSL Certificate?
SSL stands for Secure Sockets Layer and provides a way to confirm your website’s identity and ensure that anyone who accesses your site does so through a secured connection.
The digital certificate is stored on your server along with a private key specific to your certificate. Whenever someone accesses your website, the public key will match up with the private key on your server.
If the keys fail to match, a warning message will appear on the user’s side, letting them know the connection is not secure and they are open to various kinds of attacks. Once validated, an encrypted connection can be established between the client and server.
It’s important to note that what most people refer to as SSL is actually TLS or transport layer security. SSL is an outdated security protocol and the predecessor to Transport Layer Security, but the terminology has carried over.
How do SSL certificates work?
While you should have a pretty good understanding of what an SSL certificate does, how exactly does it work? Here is a step by step breakdown:
- A browser attempts to make a connection with a website and immediately requests that a server identify itself
- The server sends a copy of its certificate
- Browser checks certificate and ensures the information is valid and responds to the server
- The server then responds with a digitally signed acknowledgment to start an encrypted session
- The encrypted online session begins, and information is transferred between the client and server
While this may seem complex, the best way to think about things is to send a coded and sealed letter in the mail to a specific person with decoding instructions.
You write a coded letter, seal it in an envelope, then send it to a specific user. If you sent the message without sealing it, it would be possible for someone to see the contents.
However, by sealing it, only the recipient can see the contents and, because it is coded, only they can decipher the message.
What Information Does A Certificate Contain
The primary purpose of an SSL certificate is to verify the identity of the certificate holder and ensure a connection isn’t being made with an imposter. The certificate details include:
- Domain Name
- Certificate Validity Period
- Certificate Authority (CA) Details
- Public Key
- Public Key Algorithm
- Certificate Signature Algorithm
- SSL/TLS Version
- Thumbprint Algorithm
The above information is contained in every certificate type, both free and paid. However, advanced certificates such as organizational validation or extended validation will also include the following:
- Name of the organization
- Website owner
Why You Need An SSL Certificate For Your Website
If you are a reputable business owner and want to ensure your customer’s information stays safe, you need an SSL certificate.
However, for a less altruistic reason to get an SSL certificate, not having one will affect your website’s search rankings.
SSL certificates are essential for the following:
In layman’s terms, encryption is a way of concealing information by scrambling it and making it look like random bits of information.
Ideally, only the server you intend to share information with will decipher the encrypted data.
This makes sharing personal data or financial information more secure as outsiders can’t retrieve it as easily. It’s in a search engine’s best interest to direct users to secure websites, which has become a significant ranking factor over the years.
The SSL certificate is essential for identifying you are who you say you are and that your server hasn’t been hijacked.
This type of attack is known as a man-in-the-middle attack. A rogue party will impersonate your server and website, allowing them to steal information from anyone who connects and shares.
Your SSL certificate will prevent this by using a private key specific to your certificate and stored securely on your server.
HTTPS, or hypertext transfer protocol secured, is a communication protocol that ensures a secure connection between two systems.
When you have a properly configured SSL certificate, you can force all traffic to your website to go through HTTPS.
This means that your website will be verified, and all sessions will be encrypted. This is especially important if you are processing sensitive transactions and handling personal details such as credit card transactions, medical records, or social security numbers.
However, even if you are not processing sensitive transactions, HTTPS is essential for protecting your website visitors and promoting a better experience for internet users.
Validation Methods For Security Certificates
For an SSL certificate to work, there must be a moderate level of trust ensuring ownership of the domain the certificate is attached to. This is done in one of the following ways.
Extended Validation Certificates (EV SSL)
Extended Validation certificates provide the highest level of security and trust and are the industry standard for business websites. To receive one, website owners must meet the authentication process requirements for an OV SSL and go through an enhanced review process performed by a human specialist.
Organization Validated Certificates (OV SSL)
OV certificates are a step up from DV. These can only be issued to a registered organization and not individuals, making them more suitable for public-facing websites. To receive one, an organization must prove it owns the domain it wishes to secure and confirm that it is a legally registered business.
Domain Validation Certificate (DV SSL)
Domain Validation certificates require proof of ownership for the secured domain and are typically issued within minutes. These provide the lowest level of validation. Once installed, DV certificates show trust indicators in major browsers like the gray or green padlock symbol and the string https:// before the website domain.
Types of Certificates
There are many different kinds of certificates. Getting the right certificate type for your business or organization is crucial.
Wildcard SSL Certificates
Wildcard SSL certificates are for a single domain and all its subdomains. A subdomain is under the umbrella of the main domain. Usually, subdomains will have an address that begins with something other than ‘www.’
Multi-Domain Certificate (MDC)
A multi-domain SSL certificate, or MDC, lists multiple distinct domains on one certificate. With an MDC, domains that are not subdomains of each other can share a certificate.
Single Domain SSL Certificate
A single-domain SSL certificate applies to one domain and one domain only. It cannot authenticate any other domain, not even subdomains of the domain it is issued for. All pages on the domain will be secured.
How Do I Get an SSL Certificate
Thankfully, most hosting services providers, including Siteground, who we recommend to our clients, make it incredibly easy to install an SSL certificate, even without technical experience.
Traditionally, however, the way you would get and install an SSL certificate is through the following steps:
- Have the Correct Website Information
- Decide Which SSL Certificate You Need
- Choose a Certificate-Issuing Authority
- Generate a Certificate Signing Request (CSR)
- Submit the CSR to Your Certificate Authority
- Await Validation by Your Certificate Authority
- Install Your SSL Certificate
If you are still confused about setting up an SSL certificate, or what kinds of certificates you need, we’d be happy to help. Contact us and schedule a time to chat.
How To Tell If A Site Has an SSL Certificate
There are two quick ways to tell if a website has a correctly configured SSL certificate.
The first thing to check for is the HTTPS at the beginning of the URL in the address bar. If you do not see HTTPS and only HTTP, know that your session is not secure.
Try adding HTTPS manually, and then see if the website reloads under a secure connection. This means the website has an SSL certificate, and it is correctly configured, but the site is not forcing a connection over HTTPS.
The second way is to check for the padlock next to the URL. If there is a lock icon, you know the SSL is correctly configured.
If your website is not displaying the padlock, or if it is showing as a red icon with the padlock open, you either don’t have SSL set up properly, or your certificate is misconfigured.
Why Is My Website Showing As Unsecure?
There are many potential reasons a website with an SSL certificate might be showing as unsecure.
Some of the most common issues include:
- Mixed content on pages (usually certain pages will show unsecure)
- Insufficient intermediates
- Name mismatch
- Invalid authority or untrusted root
- Date error
- Weak signature algorithm
If you know that you have a correctly installed certificate, but you’re still receiving a message that your website is unsecure, we can help. Contact us today to solve your SSL certificate issues.
Frequently Asked Questions About What Is An SSL Certificate
To help clear up any confusion, here are answers to some of the most common questions about SSL , what they are, and what purpose they serve.
What does SSL stand for?
SSL stands for secure sockets layer. This means that a connection between two systems is secured through encryption.
The best way to think about this in a non-technical way is by sending a sealed letter in the mail. By sealing the letter, the only people who know the contents are the sender and receiver.
Where are SSL certificates stored?
SSL certificates are stored on your server along with the private key. When a client accesses your servers, the private key will match the public key, verifying the identity of your server.
This helps to prevent man-in-the-middle attacks which can leave your site visitors vulnerable to identity theft and a host of other issues.
What’s the difference between HTTP and HTTPS?
HTTP stands for hypertext transfer protocol, and HTTPS, as you may be able to guess, adds secure to the end.
The HTTPS protocol denotes a secure connection, ensuring that all information transferred between the website and the client is encrypted.
However, simple HTTP connections mean that information is being transferred in plain text, leaving it vulnerable to intruders.
How much do SSL certificates cost?
SSL certificates can range from free options offered by companies like Let’s Encrypt to paid certificates.
If you opt for a paid certificate, prices generally range as low as $5 for a very basic domain verification certificate, all the way up to $1,000. For most paid certificates, you will pay around $50 – $60.
The benefit of a paid certificate is they provide more trust for clients as they verify your business and identity vs. free certificates that only verify your domain.
Can an SSL Be Used on Multiple Servers?
An SSL certificate can be used on multiple servers and is common practice with larger websites.
Many larger websites will load balance among multiple servers, making it essential that the SSL certificate is also available on each server.
There is more than one way to do this. However, the SSL certificate must only be used in connection with the same domain on all servers.
What happens when an SSL certificate expires?
When your SSL certificate expires, your website users will no longer be able to communicate over an encrypted HTTPS connection.
Instead, all information will be transmitted as plain text leaving information open to hackers or anyone else listening in on your network.
Users will also receive a message telling them the connection to your website is not secure and recommending them to return to the previous page, discouraging visitors to your site.
Is it possible to get a free SSL certificate?
It is possible to get a free SSL certificate from certificate providers such as Cloudflare and Let’s Encrypt.
Free SSL certificates provide the same level of encryption as paid SSL certificates. The primary difference is they only validate the ownership of the domain.
Paid certificates actually validate a business’s identity and can be a better option if you are running an E-Commerce business or similar website where customers will share valuable data.
What happens if you don’t have an SSL certificate?
If you don’t have an SSL certificate, your website will work just fine. The SSL certificate does not directly impact the performance of your site.
However, visitors and prospective customers to your website will likely be presented with a message warning them of potential risks if they visit your site. They will be told to either go back or avoid sharing sensitive data.
There is also the increased risk of your website being a target for hackers and malware that can impact your user experience and, ultimately, your search engine rankings.
What Is An SSL Certificate: Final Thoughts
Don’t put off setting up SSL for your website. The last thing you want is visitors seeing an ugly message saying your website is unsecure and to turn around. Not only does this reflect poorly on you, but it also sends visitors right towards your competition.
For E-Commerce sites and business websites especially, having the right kinds of certificates properly configured is essential for protecting your customers’ data and provides assurance to users. You don’t want to be a business known for lax security or, worse, a data breach.
If you are a website owner having issues with installing or correctly configuring your SSL certificate, feel free to reach out, you can have your certificate up and running and your customer’s data secure.