SSL Certificate FAQs

SSL certificate is also called public key identity certificate that is generally issued by a legitimate certificate authority. The main object of SSL certificate is to create a secure channel between the user’s browser and the web server through which the exchange of data is taken place. Thus, it establishes trust among customers and assures them to carry online transactions with strong encryption support. CAs issue SSL certificate after checking the required information of an SSL applicant. Read more.

The information traveling between the browser and the server remains in plain text and third party or hackers can easily intercept the information. To avoid this hurdle, SSL can be a helpful protocol that encrypts ongoing information between two endpoints like the browser and the server hence; the third party cannot sniff the data. Thus, if you are online business owner then, your website must have SSL to protect sensitive information of clients and customers. Read More.

Encryption plays an essential role in SSL that uses SHA-2 hash algorithm. The SHA-2 family includes hash values like SHA-224, 256, 384 and 512. Earlier, SHA-1 was in force but somehow it seemed weak algorithm against attacks. Currently, Most of certificate authorities offer SHA-256 encryption for online security of transactions. The stronger encryption you use, the more your information is secured. Encryption creates a secure channel through which sensitive information passes.

At present, SHA-256 is used in mostly SSL certificates. Earlier, 128-bit encryption was used but it was weak algorithm and replaced by SHA-256.

SSL certificate stands on three principles: Authenticity, Integrity, and Strong Encryption.

Authenticity: Authenticity refers to an authenticated third party that verifies the information contained in SSL certificate.

Integrity: Integrity refers to data integrity means the data that moves between the user’s browser and the server remains intact and safe.

Encryption: Strong encryption is a backbone of any SSL certificate that works on key pair like public key and private key. Public key encrypts the information while the private key decrypts the information.

Witfield Diffie & Martin Hellman are researchers who proposed asymmetric encryption in 1977. Asymmetric encryption also called public key cryptography works on a pair of two keys in which one key termed public key that is used to encrypt the information where another key named private key is used to decrypt the information.

Symmetric encryption is the hoariest technique of encryption. In this method, sender and receiver shares a single key for encryption and decryption of a data. Symmetric encryption is simple and faster but the key should be exchanged in secure way as both parties shared secret to keep information private therefore, Symmetric encryption is also named secret key algorithm. The main limitation of symmetric encryption is to share a key in secure environment. To avoid this public key cryptography (Asymmetric encryption) was introduced.

Every business has different web security needs and therefore, certificate authorities have bunch of SSL certificates. Currently, Domain Validation, Business Validation, Extended Validation, SAN, Code Signing, Wildcard SSL certificate available in SSL industry.

According to CA/browser forum guideline, SSL certificate can be issued for maximum 2 years. But SSL certificates are issued on yearly base therefore, SSL provider offers up to three year validity.

You can order SSL certificate from CA or reseller website. SSL order process is a simple process that includes steps like:

• Choose SSL product you wish to buy or renew
• Now, provide technical and contact information
• Provide payment details and complete the process
• Submit CSR details while ordering SSL certificate
• Finally, you will get email contains SSL Certificate and site seal file
• Install on your server

Validation is a crosschecking process done by certificate authority (CA) and it depends on type of the certificate request. Before approving application of a SSL seeker/ website owner, the CA verifies domain ownership that may extent to checking of government records, legal and business documents of an SSL applicant. After verifying the details, the CA issues SSL certificate to the website owner.

Public key is a part of Public Key Infrastructure (PKI) and encrypts the information that travels between the browser and the server. Public key is included in SSL certificate and shared among web browsers.

Private Key is a part of Public Key Infrastructure (PKI) used to decrypt the information that was earlier encrypted with Public Key. Private Key remains on the server and never shared with anyone.

CSR (Certificate Signing Request) is a block of cipher text that is created on the server. While ordering SSL certificate CSR should be sent to certificate authority. Before generating the CSR, SSL applicant must create key pair (public and private key) and keep private key secret. The CSR includes information like FQDN name (for example, mydomain.com), business/organization, town/city, organization unit, email address, country.

The role of CSR (certificate signing request) is important in getting SSL certificate. CSR generation includes details of organization address, location, desired common name, state, organization department, etc. The CA considers that details while issuing SSL certificate.

It is true that SSL certificate is issued after checking background of existing business. If the certificate authority mis-issues the certificate to wrong entity, SSL warranty can offer financial protection against such mis-issuance. SSL warranty amount can be varied up to $1750K amount for various SSL certificates.

Root certificate is a part of public key infrastructure and issued by the trusted root certificate authority. A certificate authority issues multiple certificates in a tree structure and the root certificate is on the top of this structure. The private key of a root certificate signs other certificates. All other certificates (intermediate certificates) rely on trustworthiness of a root certificate. All operating systems and browsers have trusted root Certificates.

Intermediate certificate works as a substitute of root certificate. CAs keep keys of root certificate secret to hide from attackers and use intermediate certificate to sign SSL certificates. If the root certificate is compromised, the whole certificate structure will be of no use. Intermediate certificate is placed between the root certificate and the issued SSL certificate. Thus, it creates a chain of trust that starts from root certificate travel through intermediate certificate and ends its cycle with issued SSL certificate.

Some certificate authorities do not have a Trusted Root CA certificate embedded in browsers. In this situation, Trusted Root CA issues a certificate to such third-party certificate providers to let their certificates be recognized by browsers. This type of certificates is recognized as a chained root SSL certificate and act as intermediate root certificate. When a user installs the certificate issued on FQDN, he needs to install this intermediate certificate. If this chain is destroyed, browsers will not trust your certificate.

There is no limit on other types of certificate order.

SSL certificates carry more than 99% browser compatibility means their root certificates are installed in major browsers that avoid unwanted SSL warning and offer smooth browsing experience.

The price of SSL certificates depend upon its types of validation. Generally, the price varies from $7.00 to $1129.50 per year.

SSL site seal comes at free of cost with legitimate SSL certificate. Site seal offers additional assurance to customers and shows that the website is secured with reliable SSL certificate. Website owner can place it on any web page or every web page where higher assurance is required.

SSL padlock is a symbol of security that appears in browsers when a user visits SSL secured website. Once a user click on the padlock, he can view the certificate information.

Free SSL certificate is the best option for a newbie who is not aware about different SSL functions & practice. It is given for one-month trial period after which a website owner can go with paid SSL certificate.

Enterprise may have different sub domains so if enterprise purchases individual certificate then it can be costly. Therefore, Wildcard certificate is worth considering option that secures unlimited sub domains with a single certificate as well offers smooth certificate management. For example, *.mydomain.com can secure mail.mydomain.com, sales.mydomain.com, www.mydomain.com. A single asterisk (*) allows enterprise to secure as many sub domains they want. Read More.

Extended Validation (EV) is also called green bar certificate that carries highest authenticity and offers strong protection over the web. Ecommerce, Banks, financial, payment merchant, social media sites and others prefer EV SSL certificate. It turns browser into green address bar on which the company name is displayed. EV SSL follows a rigorous verification process including checking of physical, legal existence of business. Where higher assurance is needed, EV certificate is an ideal option. Read More.

Business Validation verifies the domain ownership as well proves business identity. Business validation establishes business existence over the web by checking business related documents. Business validation does comply with strong verification than domain validation. Such certificate provides extra level of confidence to customers and visitors. Read more.

EV (Extended Validation) SSL offers highest trustworthiness to website and customers by complying lengthy and strict validation process. Once you get EV SSL, the address bar turns into green bar that shows company name for additional assurance. Customers put trust in websites that has green address bar. EV SSL also protects users against phishing as legitimate authority has verified the website with rigorous validation. Read More.

Green Address bar is a sign of highest authentication when a website is secured with extended validation certificate. It shows company name on the green bar that also gives customers and visitors a confidence about website reliability.

There are numerous reasons responsible for not showing green padlock in browser:

• Perhaps your SSL certificate is issued with old algorithm like SHA-1 algorithm.
• If any HTTP file is served on HTTPS page, then system admin has to update those elements.
• If the intermediate certificate file is invalid or not installed, your browser will not show green bar. You can ask SSL provider to send intermediate certificate.
• If your certificate is expired, self-signed, you can contact SSL provider to solve this issue.

SAN (subject Alternative Names) is ideal for protection of multiple domains. Enterprise can have higher cost if it goes for purchase of individual certificate, when they have to secure more than one domains. To solve this issue, CAs offers SAN or multi domain certificate that saves cost of an enterprise along with strong encryption. An enterprise can secure up to 100 SANs during certificate lifetime. Read More.

UCC (Unified Communications Certificate) is ideal for Microsoft Exchange Server 2003/2007/2010/2013, Microsoft Communication Server 2007/2010, Live Communication server 2007 and shared environment. UCC certificate can secure communications on different domains under a single certificate thus the certificate reduces administrative cost.

Multi Domain certificate is a perfect SSL solution for enterprises that want to secure multiple domains under a single SSL certificate. Different CAs have their own norms regarding SANs limit. For example, Comodo offers up to 100 SANs while GeoTrust offer up to 25 SANs limit with a single SAN certificate.

Code signing certificate secures code of software and allows developers to make their code authenticate. When any code is signed with Code signing certificate, it means the code is not altered since it is signed. The certificate provides trust about software identity and content of the code. Such certificate is ideal with Microsoft Authenticode, Mac OS, Java, Adobe Air, and MS Office. Read More.

Many websites are tempted to use self-signed certificate rather than third party legitimate certificate authority’s certificate. Browsers do not accept self-signed certificate as it is not from legitimate CA. Individual or enterprise who wishes to get the certificate have to create and sign the desired certificate called Self-Signed certificate.

A certificate revocation means the trusted CAs have canceled the certificate and are no longer trusted now. If SSL certificate is revoked, the browser starts to show warning message while visiting the website. The reasons for certificate revocation may vary like mis-issuance of certificate, counterfeit certificate, and compromise of private key.

Google has just announced that HTTPS enabled websites will have higher chance of ranking in search engine. For now, it will affect less than 1% of global queries but over the time, Google will boost it. Thus, SEO (Search Engine Optimization) can take advantage by pushing their little efforts towards their websites and could get high ranking in Google search engine. Moreover, HTTPS website gets higher assurance and trust from customers as a result; there are chances of higher sales in long run.

Once you take SSL for your website, it is necessary to manage it otherwise there may be chance of certificate expiry. Once the certificate is expired, the browser will show a warning of untrusted certificate. An expired certificate may lead to decline in website traffic. SSL certificate management takes care of certificate installation, renewal, updating of certificate information. It is necessary to renew SSL certificate on time to avoid browser warnings.

Always-On SSL refers to the security of the whole website structure means the first page to the last page of the website is secured with SSL certificate. When you have Always-On SSL, users will feel secure on your website. It also prevents Sidejacking and SSL strip attacks. Always-On SSL helps to increase user trust as every page of your website is secured. Read More.

Browsers keep CRL list (certificate revocation list) to check on regular base about revoked certificate. The CA updates CRL list to check any revoked certificate status. In case, if the certificate is canceled or revoked (not expired), the browser shows a warning of untrusted certificate. The CA signs the CRL to avoid certificate tampering.

ECC is an alternative option of RSA algorithm. ECC carries faster, shorter keys and consumes less computer resources. By the time, the key size increases in order to provide maximum protection, which puts extra burden on computer system. As a result, ECC algorithm came into force that has smaller keys for example; 3072-bit RSA key is equal to 256-bit ECC key. Take a note that both RSA and ECC keys offer the same security.

FQDN (Fully Qualified Domain Name) refers to common name on which the CA issues the certificate. FQDN comprises both host name and the domain name for example, mymail.yourdomain.com in which host name is “mymail” and the domain name is yourdomain.com.

Mixed content error is inevitable error, which means that the website is serving on HTTPS but some files of website like scripts, images; videos are running on HTTP. When your website has mixed content issue, it displays security warning to users. To avoid this error, move all HTTP related files to HTTPS in HTML log. Read More.

In 1998, OpenSSL project was introduced and it is a software library aims to protect application communication against snooping and sniffing. It also confirms the identity of relevant parties. It allows open source implementation of SSL/TLS protocols and offers free set of encryption tools for the web.

Phishing is a mimic of the original website, made to fool users and thereby steals their money and credentials. The CA while issuing Extended Validation (EV) SSL authenticates background of organization like physical location, operational and legal existence. Thus, The CA issues SSL certificate to the domain name for which the application was received instead of any fake domain name. Even, EV SSL triggers green color in address bar with company name, which ensures customers that the website is real and legitimate.

Vulnerability Assessment helps to identify the weakness in web application, database, servers and network devices. Vulnerability Assessment gives deep insight into threat landscape and simplifies risk management by applying remediation steps. Vulnerability assessment comes at free of cost with DigiCert secure site with EV, DigiCert secure site pro, and DigiCert secure site pro with EV certificate. You can weekly schedule website scan to detect vulnerabilities. After that, you will have actionable report showing critical vulnerabilities with its solution.

Norton Secured Seal comes at free of cost with DigiCert SSL certificates and is mostly displayed seal in the security world. It is believed that around 90% visitors get assurance about the website once they see Norton seal during checkout process. The Norton Secured seal scans for malware and vulnerability and alerts the owner regarding any malicious activities on the website.

In case of loss of your private key, you can get private key from your backup or you can contact your SSL provider. Otherwise, you can create CSR and reissue your certificate.

No, you don’t need a unique IP address for SSL certificate. At present, SNI has mitigated requirement of unique IP address.

In case of changing provider/server, you have to export private key and certificate file from old server otherwise, you have to recreate the CSR and reissue the certificate.

CheapSSLShop is a global SSL provider and deals with reputed SSL certificate authorities (CAs) like DigiCert, GeoTrust, Thawte, GlobalSign, Comodo and RapidSSL. We sell SSL certificates at 70% lower price and pass huge discounts to our customers by offering same quality of certificate. Our SSL order process includes easy steps.

Certificate authority (CA) is a trusted body that issues and manages digital certificate to companies, individuals for their online security. CheapSSLShop is global provider of certificates from leading CAs like Comodo, RapidSSL, Thawte, GlobalSign, GeoTrust, and DigiCert. CheapSSLShop believe in safe world and strive to fulfill need of online security of diversified businesses.

SSL certificate cannot be issued for internal domain but it can be issued for external FQDN (Fully Qualified Domain Name).

In case, if you have not received email for Domain Control Validation, you can recheck email address specified while ordering the certificate. You can also check your spam folder for the mail. You can make request to alter registrant email address specified in WHOIS record, or suggest domain based emails like Admin@domain.com, Administrator@domain.com, Hostmaster@domain.com, Postmaster@domain.com, and Webmaster@domain.com.

You can contact SSL provider if you missed verification call. You can rearrange the phone call at your available time.

If the phone number is outdated, you must contact your SSL provider for further process.

You should send validation document to your SSL provider as the CA has to verify the documents.

The certificate authority has automatic system that verifies the details of certificate requester for any fraudulent purpose. If any information is found against CA’s defined terms or similar with company names, the certificate authority shows Failed Security Review.

First, you should check your spam folder for received certificate or you can check store account where you can download issued certificate.

You have to regenerate the CSR if it has something incorrect.

If you have enrolled the certificate on wrong common name then you have to regenerate the CSR and reissue the SSL certificate with right common name.

In case of deletion of Private Key, you have to regenerate the CSR and reissue the SSL certificate.

To install SSL certificate on multiple server, you can import private key, intermediate certificate and primary certificate on new servers. Otherwise, you can generate the CSR on new servers along with private key and reissue the current SSL certificate.

You can use old CSR with the same private key but it seems security disadvantage. To avoid this issue, you should generate a new CSR to renew a certificate.