SSL Certificate FAQs

SSL certificate is also called a public key identity certificate generally issued by a legitimate certificate authority. The main object of the SSL certificate is to create a secure channel between the user's browser and the web server through which the exchange of data occurs. SSL certificate secures sensitive information like credit card numbers, social security numbers, and login details in a secure environment. Thus, it establishes trust among customers and assures them to carry out online transactions with strong encryption support. CAs issue SSL certificates after checking the required information of an SSL applicant.

The information traveling between the browser and the server remains in plain text and third party or hackers can easily intercept the information. To avoid this hurdle, SSL can be a helpful protocol that encrypts ongoing information between two endpoints like the browser and the server hence; the third party cannot sniff the data. Thus, if you are online business owner then, your website must have SSL to protect sensitive information of clients and customers. Read More.

Encryption plays an essential role in SSL that uses the SHA-2 hash algorithm. The SHA-2 family includes hash values like SHA-224, 256, 384, and 512. Earlier, SHA-1 was in force, but somehow it seemed a weak algorithm against attacks. Currently, most certificate authorities offer SHA-256 encryption for the online security of transactions. The more robust encryption you use, the more your information is secured. It is because encryption creates a secure channel through which sensitive information passes.

At present, SHA-256 is used mainly in SSL certificates. Earlier, encryption was 128-bit, but now it was a weak algorithm and replaced by 256 bit encryption.

SSL certificate stands on three principles: Authenticity, Integrity, and Strong Encryption.

Authenticity: Authenticity refers to an authenticated third party that verifies the information contained in the SSL certificate.

Integrity: Integrity refers to data integrity means the data that moves between the user's browser and the server remains intact and safe.

Encryption: Strong encryption is the backbone of any SSL certificate that works on key pairs like public and private keys. The public key encrypts the information while the private key decrypts the information.

Witfield Diffie & Martin Hellman are researchers who proposed asymmetric encryption in 1977. Asymmetric encryption, also called public-key cryptography, works on two keys. One key, termed public key, is used to encrypt the information, whereas another key named private key is used to decrypt the information.

Symmetric encryption is the hoariest technique of encryption. In this method, the sender and receiver share a single key for encryption and decryption of data. Symmetric encryption is simple and faster, but the key is exchanged securely as both parties share the secret to keep information private. Therefore, Symmetric encryption is also named secret key algorithm. However, the main limitation of symmetric encryption is to share a key in a secure environment. Therefore, public-key cryptography (Asymmetric encryption) was introduced to avoid this.

Every business has different web security needs, and therefore, certificate authorities have a bunch of SSL certificates. Domain Validation, Business Validation, Extended Validation, SAN, Code Signing, and Wildcard SSL certificate are available in the SSL industry.

According to CA/browser forum guidelines, an SSL certificate can be issued for 13 months (397 days). But SSL certificates are issued yearly; therefore, the SSL provider offers up to five years of validity.

You can order an SSL certificate from CA or the reseller website. SSL order process is a simple process that includes steps like:

• Choose SSL product you wish to buy or renew
• Now, provide technical and contact information
• Provide payment details and complete the process
• Submit CSR details while ordering an SSL certificate
• Finally, you will get email contains SSL Certificate and site seal file
• Install on your server

Validation is a crosschecking process done by a certificate authority (CA), and it depends on the type of certificate request. Before approving the application of an SSL seeker/ website owner, the CA verifies domain ownership that extent to checking of government records legal and business documents of an SSL applicant. After verifying the details, the CA issues an SSL certificate to the website owner.

Public key is a part of Public Key Infrastructure (PKI) and encrypts the information that travels between the browser and the server. A public key is included in the SSL certificate and shared among web browsers.

Private Key is a part of Public Key Infrastructure (PKI) used to decrypt the earlier encrypted information with Public Key. Private Key remains on the server and is never shared with anyone.

CSR (Certificate Signing Request) is a block of ciphertext created on the server. While ordering an SSL certificate, send CSR to the certificate authority. Before generating the CSR, the SSL applicant must create key pair (public and private key) and keep the private key secret. The CSR includes information like FQDN name (for example, mydomain.com), business/organization, town/city, organization unit, email address, country.

The role of CSR (certificate signing request) is essential in getting an SSL certificate. CSR generation includes organization address, location, desired common name, state, organization department, etc. The CA considers that details while issuing an SSL certificate.

An SSL certificate is issued after checking an existing business's background. However, if the certificate authority mis-issues the certificate to the wrong entity, an SSL warranty can offer financial protection against such mis-issuance. Warranty amount of SSL varied up to $1750K amount for various SSL certificates.

The root certificate is a part of public key infrastructure and is issued by the trusted root certificate authority. A certificate authority issues multiple certificates in a tree structure, and the root certificate is on the top of this structure. The private key of a root certificate signs other certificates. All other certificates (intermediate certificates) rely on the trustworthiness of a root certificate. All operating systems and browsers have trusted root Certificates.

The intermediate certificate works as a substitute for the root certificate. CAs keep keys of root certificate secret to hide from attackers and use the intermediate certificate to sign SSL certificates. If the root certificate is compromised, the whole certificate structure will be useless. An intermediate certificate is placed between the root certificate and the issued SSL certificate. Thus, it creates a chain of trust that starts from root certificate travel through intermediate certificate and ends its cycle with an issued SSL certificate.

Some certificate authorities do not have a Trusted Root CA certificate embedded in browsers. In this situation, Trusted Root CA issues a certificate to such third-party certificate providers to let browsers recognize their certificates. This certificate is recognized as a chained root SSL certificate and acts as an intermediate root certificate. When a user installs the certificate issued on FQDN, he needs to install this intermediate certificate. If this chain is destroyed, browsers will not trust your certificate.

There is no limit on other types of certificate orders.

SSL certificates carry more than 99% browser compatibility means their root certificates are installed in major browsers to avoid unwanted SSL warnings and offer a smooth browsing experience.

The price of SSL certificates depends upon their types of validation. Generally, the price varies from $5.00 to $927.20 per year.

SSL site seal comes free of cost with a legitimate SSL certificate. Site seal offers additional assurance to customers and shows that the website is secured with a reliable SSL certificate. The website owner can place it on any web page or page where higher assurance is required.

SSL padlock is a security symbol that appears in browsers when a user visits an SSL secured website. Once a user clicks on the padlock, view the certificate information.

A free SSL certificate is the best option for a newbie unaware of different SSL functions & practices. It is given for a one-month trial period, after which a website owner can go with paid SSL certificate.

The enterprise may have different subdomains, so it can be costly if the enterprise purchases individual certificates. Therefore, Wildcard certificate is worth considering an option that secures unlimited subdomains with a single certificate and offers smooth certificate management. For example, *.mydomain.com can secure mail.mydomain.com, sales.mydomain.com, www.mydomain.com. A single asterisk (*) allows an enterprise to secure as many subdomains they want.

Extended Validation (EV) is also called green bar certificate that carries the highest authenticity and offers robust protection over the web. Ecommerce, Banks, financial, payment merchants, social media sites, and others prefer EV SSL certificates. It turns a browser into a green address bar on which the company name is displayed. EV SSL follows a rigorous verification process, including checking the physical legal existence of the business. Where higher assurance is needed, an EV certificate is an ideal option.

Business Validation verifies the domain ownership as well as proves business identity. Business validation establishes business existence over the web by checking business-related documents. Business validation does comply with robust verification than domain validation. Such a certificate provides an extra level of confidence to customers and visitors.

EV (Extended Validation) SSL offers the highest trustworthiness to websites and customers by complying lengthy and strict validation process. Once you get EV SSL, the address bar turns into a green bar that shows the company name for additional assurance. Customers put trust in websites that have a green address bar. EV SSL also protects users against phishing as the legitimate authority has verified the website with rigorous validation.

The Green Address bar signifies the highest authentication when a website is secured with an extended validation certificate. In addition, it shows the company name on the green bar, giving customers and visitors confidence about website reliability.

There are numerous reasons responsible for not showing a green padlock in the browser:

• Perhaps your SSL certificate is issued with an old algorithm like the SHA-1 algorithm.
• If any HTTP file is served on an HTTPS page, the system admin must update those elements.
• If the intermediate certificate file is invalid or not installed, your browser will not show a green bar. You can ask the SSL provider to send the intermediate certificate.
• If your certificate is expired self-signed, you can contact the SSL provider to solve this issue.

SAN (Subject Alternative Names) is ideal for protecting multiple domains. However, the enterprise can have higher costs if it purchases individual certificates when they have to secure more than one domain. To solve this issue, CAs offers SAN or multi-domain certificate that saves an enterprise's cost and strong encryption. An enterprise can secure up to 100 SANs during certificate lifetime.

UCC (Unified Communications Certificate) is ideal for Microsoft Exchange Server 2003/2007/2010/2013, Microsoft Communication Server 2007/2010, Live Communication server 2007, and shared environment. UCC certificate can secure communications on different domains under a single certificate; thus, the certificate reduces administrative costs.

The multi-Domain certificate is a perfect SSL solution for enterprises that want to secure multiple domains under a single SSL certificate. However, different CAs have their norms regarding SANs limits. For example, Comodo offers up to 100 SANs, while GeoTrust offers 25 SANs with a single SAN certificate.

Code signing certificate secures software code and allows developers to make their code authenticate. When any code is signed with the Code signing certificate, the code is not altered since it is signed. The certificate provides trust about the software identity and content of the code. Such certificate is ideal with Microsoft Authenticode, Mac OS, Java, Adobe Air, and MS Office.

Many websites are tempted to use self-signed certificates rather than third-party legitimate certificate authority's certificates. However, browsers do not accept the self-signed certificate as it is not from a legitimate CA. Therefore, individuals or enterprises who wish to get the certificate have to create and sign the desired certificate called a Self-Signed certificate.

A certificate revocation means the trusted CAs have canceled the certificate and are no longer trusted now. If the SSL certificate is revoked, the browser shows a warning message while visiting the website. The reasons for certificate revocation may vary, like mis-issuance of the certificate, counterfeit certificate, and compromise of the private key.

Google has just announced that HTTPS-enabled websites will have a higher chance of ranking in search engines. For now, it will affect less than 1% of global queries, but over time, Google will boost it. Thus, SEO (Search Engine Optimization) can take advantage by pushing their little efforts towards their websites and could get a high ranking in Google search engine. Moreover, the HTTPS website gets higher assurance and trust from customers; there are chances of higher sales in the long run.

Once you take SSL for your website, it is necessary to manage it; otherwise, there may be a chance of certificate expiry. Once the certificate is expired, the browser will show an untrusted certificate warning. An expired certificate may lead to a decline in website traffic. SSL certificate management takes care of certificate installation, renewal, updating of certificate information. It is necessary to renew the SSL certificate on time to avoid browser warnings.

Always-On SSL refers to the security of the whole website structure means the first page to the last page of the website is secured with an SSL certificate. When you have Always-On SSL, users will feel secure on your website. It also prevents Sidejacking and SSL strip attacks. Therefore, Always-On SSL helps increase user trust as every website page is secured.

Browsers keep the CRL list (certificate revocation list) to check regularly about revoked certificates. The CA updates the CRL list to check any revoked certificate status. If the certificate is canceled or revoked (not expired), the browser shows a warning of the untrusted certificate. The CA signs the CRL to avoid certificate tampering.

ECC is an alternative option of the RSA algorithm. ECC carries faster, shorter keys and consumes fewer computer resources. However, the key size increases to provide maximum protection by the time the key size increases, which puts an extra burden on the computer system. As a result, the ECC algorithm came into force with more minor keys; for example, the 3072-bit RSA key is equal to the 256-bit ECC key. Take note that both RSA and ECC keys offer the same security.

FQDN (Fully Qualified Domain Name) refers to the common name on which the CA issues the certificate. FQDN comprises both the hostname and the domain name, for example, mymail.yourdomain.com, in which hostname is "my mail" and the domain name is yourdomain.com.

Mixed content error is an inevitable error, which means that the website is serving on HTTPS, but some website files like scripts, images, videos are running on HTTP. When your website has mixed content issues, it displays security warnings to users. Move all HTTP-related files to HTTPS in the HTML log to avoid this error.

In 1998, the project OpenSSL was introduced, and it is a software library that aims to protect application communication against snooping and sniffing. It also confirms the identity of relevant parties. Furthermore, it allows open-source implementation of SSL/TLS protocols and offers a free set of encryption tools for the web.

Phishing is a mimic of the original website, made to fool users and steal their money and credentials. While issuing Extended Validation (EV) SSL, the CA authenticates the background of an organization like physical location, operational and legal existence. Thus, The CA issues an SSL certificate to the domain name for which the application was received instead of any fake domain name. Furthermore, even EV SSL triggers green color in the address bar with the company name, ensuring that the website is authentic and legitimate.

Vulnerability Assessment helps identify the weakness in a web application, database, servers, and network devices. Vulnerability Assessment gives deep insight into the threat landscape and simplifies risk management by applying remediation steps. Vulnerability assessment comes free of cost with DigiCert secure site with EV, DigiCert secure site pro, and DigiCert secure site pro with EV certificate. You can weekly schedule website scan to detect vulnerabilities. After that, you will have an actionable report showing critical vulnerabilities with its solution.

Norton Secured Seal comes free of cost with DigiCert SSL certificates and is mostly displayed seal in the security world. It is believed that around 90% of visitors get assurance about the website once they see the Norton seal during the checkout process. The Norton Secured seal scans for malware and vulnerability and alerted the owner regarding any malicious activities on the website.

In case of loss of your private key, you can get a private key from your backup or contact your SSL provider. Otherwise, you can create CSR and reissue your certificate.

No, you don’t need a unique IP address for SSL certificate. At present, SNI has mitigated requirement of a unique IP address.

In changing provider/server, you have to export the private key and certificate file from the old server; otherwise, you have to recreate the CSR and reissue the certificate.

CheapSSLShop is a global SSL provider and deals with reputed SSL certificate authorities (CAs) like DigiCert, GeoTrust, Thawte, GlobalSign, Comodo, and RapidSSL. We sell SSL certificates at a 70% lower price and pass considerable discounts to our customers by offering the same certificate quality. Our SSL order process includes easy steps.

A certificate authority (CA) is a trusted body that issues and manages digital certificates to companies individuals for their online security. CheapSSLShop is a global provider of certificates from leading CAs like Comodo, RapidSSL, Thawte, GlobalSign, GeoTrust, and DigiCert. CheapSSLShop believes in a safe world and strives to fulfill the need for diversified businesses' online security.

SSL certificate cannot be issued for the internal domain, but it can be issued for external FQDN (Fully Qualified Domain Name).

If you have not received an email for Domain Control Validation, you can recheck the email address specified while ordering the certificate. You can also check your spam folder for the mail. You can request to alter the registrant email address specified in the WHOIS record or suggest domain-based emails like Admin@domain.com, Administrator@domain.com, Hostmaster@domain.com, Postmaster@domain.com, and Webmaster@domain.com.

You could contact the SSL provider if you missed the verification call. You can rearrange the phone call at your available time.

If the phone number is outdated, you must contact your SSL provider for further process.

You should send validation documents to your SSL provider as the CA must verify the documents.

The certificate authority has an automatic system that verifies the details of the certificate requester for any fraudulent purpose. For example, if any information is found against CA's defined terms or similar company names, the certificate authority shows Failed Security Review.

First, you should check your spam folder for a received certificate or check the store account to download the issued certificate.

You have to regenerate the CSR if it has something incorrect.

If you have enrolled the certificate on the wrong common name, you have to regenerate the CSR and reissue the SSL certificate with the correct common name.

In case of deleting the Private Key, you have to regenerate the CSR and reissue the SSL certificate.

To install an SSL certificate on multiple servers, you can import a private key, intermediate certificate, and primary certificate on new servers. Otherwise, you can generate the CSR on new servers and private keys and reissue the current SSL certificate.

You can use old CSR with the same private key, but it seems to have a security disadvantage. You should generate a new CSR to renew a certificate to avoid this issue.