SSL Certificate FAQs
SSL certificates is a great medium to solve issue of threat, spying, sniffing and phishing activities as it authenticates and protects ongoing information between two ends (user browser and web server). However, many newbies have little knowledge about SSL practices so keeping this in mind, we have listed FAQs (Frequently Asked Questions) that are generally strike an individual’s mind when he/she want to know about SSL certificate.
What is SSL?
SSL (secure socket layer) is a protocol design to protect online information over the web. It is an encryption technology works on public key infrastructure (public and private key). SSL creates an encrypted link between the client and the server to allow exchange of sensitive information like credit card numbers, social security numbers, and login details in a secure environment.
What is SSL certificate?
SSL certificate is also called public key identity certificate that is generally issued by a legitimate certificate authority. The main object of SSL certificate is to create a secure channel between the user’s browser and the web server through which the exchange of data is taken place. Thus, it establishes trust among customers and assures them to carry online transactions with strong encryption support. CAs issue SSL certificate after checking the required information of an SSL applicant. Read more.
Why do I need an SSL certificate?
The information traveling between the browser and the server remains in plain text and third party or hackers can easily intercept the information. To avoid this hurdle, SSL can be a helpful protocol that encrypts ongoing information between two endpoints like the browser and the server hence; the third party cannot sniff the data. Thus, if you are online business owner then, your website must have SSL to protect sensitive information of clients and customers. Read More.
What is the role of Encryption in SSL?
Encryption plays an essential role in SSL that uses SHA-2 hash algorithm. The SHA-2 family includes hash values like SHA-224, 256, 384 and 512. Earlier, SHA-1 was in force but somehow it seemed weak algorithm against attacks. Currently, Most of certificate authorities offer SHA-256 encryption for online security of transactions. The stronger encryption you use, the more your information is secured. Encryption creates a secure channel through which sensitive information passes.
What is encryption strength?
At present, SHA-256 is used in mostly SSL certificates. Earlier, 128-bit encryption was used but it was weak algorithm and replaced by SHA-256.
What is the importance of authenticity, integrity and encryption in SSL?
SSL certificate stands on three principles: Authenticity, Integrity, and Strong Encryption.
Authenticity: Authenticity refers to an authenticated third party that verifies the information contained in SSL certificate.
Integrity: Integrity refers to data integrity means the data that moves between the user’s browser and the server remains intact and safe.
Encryption: Strong encryption is a backbone of any SSL certificate that works on key pair like public key and private key. Public key encrypts the information while the private key decrypts the information.
What is Asymmetric encryption?
Witfield Diffie & Martin Hellman are researchers who proposed asymmetric encryption in 1977. Asymmetric encryption also called public key cryptography works on a pair of two keys in which one key termed public key that is used to encrypt the information where another key named private key is used to decrypt the information.
What is Symmetric encryption?
Symmetric encryption is the hoariest technique of encryption. In this method, sender and receiver shares a single key for encryption and decryption of a data. Symmetric encryption is simple and faster but the key should be exchanged in secure way as both parties shared secret to keep information private therefore, Symmetric encryption is also named secret key algorithm. The main limitation of symmetric encryption is to share a key in secure environment. To avoid this public key cryptography (Asymmetric encryption) was introduced.
What types of SSL certificates are available?
Every business has different web security needs and therefore, certificate authorities have bunch of SSL certificates. Currently, Domain Validation, Business Validation, Extended Validation, SAN, Code Signing, Wildcard SSL certificate available in SSL industry.
What is maximum validity SSL certificate holds?
According to CA/browser forum guideline, SSL certificate can be issued up to 39 months. But SSL certificates are issued on yearly base therefore, SSL provider offers up to three year validity.
How SSL order purchase works?
You can order SSL certificate from CA or reseller website. SSL order process is a simple process that includes steps like:
- Choose SSL product you wish to buy or renew
- Now, provide technical and contact information
- Provide payment details and complete the process
- Submit CSR details while ordering SSL certificate
- Finally, you will get email contains SSL Certificate and site seal file
- Install on your server
What is Validation in SSL?
Validation is a crosschecking process done by certificate authority (CA) and it depends on type of the certificate request. Before approving application of a SSL seeker/ website owner, the CA verifies domain ownership that may extent to checking of government records, legal and business documents of an SSL applicant. After verifying the details, the CA issues SSL certificate to the website owner.
What is public key?
Public key is a part of Public Key Infrastructure (PKI) and encrypts the information that travels between the browser and the server. Public key is included in SSL certificate and shared among web browsers.
What is private key?
Private Key is a part of Public Key Infrastructure (PKI) used to decrypt the information that was earlier encrypted with Public Key. Private Key remains on the server and never shared with anyone.
What is the CSR?
CSR (Certificate Signing Request) is a block of cipher text that is created on the server. While ordering SSL certificate CSR should be sent to certificate authority. Before generating the CSR, SSL applicant must create key pair (public and private key) and keep private key secret. The CSR includes information like FQDN name (for example, mydomain.com), business/organization, town/city, organization unit, email address, country.
Why the CSR is generated?
The role of CSR (certificate signing request) is important in getting SSL certificate. CSR generation includes details of organization address, location, desired common name, state, organization department, etc. The CA considers that details while issuing SSL certificate.
What is role of SSL warranty?
It is true that SSL certificate is issued after checking background of existing business. If the certificate authority mis-issues the certificate to wrong entity, SSL warranty can offer financial protection against such mis-issuance. SSL warranty amount can be varied up to $1750K amount for various SSL certificates.
What is root certificate?
Root certificate is a part of public key infrastructure and issued by the trusted root certificate authority. A certificate authority issues multiple certificates in a tree structure and the root certificate is on the top of this structure. The private key of a root certificate signs other certificates. All other certificates (intermediate certificates) rely on trustworthiness of a root certificate. All operating systems and browsers have trusted root Certificates.
What is intermediate certificate?
Intermediate certificate works as a substitute of root certificate. CAs keep keys of root certificate secret to hide from attackers and use intermediate certificate to sign SSL certificates. If the root certificate is compromised, the whole certificate structure will be of no use. Intermediate certificate is placed between the root certificate and the issued SSL certificate. Thus, it creates a chain of trust that starts from root certificate travel through intermediate certificate and ends its cycle with issued SSL certificate.
What is Chained root?
Some certificate authorities do not have a Trusted Root CA certificate embedded in browsers. In this situation, Trusted Root CA issues a certificate to such third-party certificate providers to let their certificates be recognized by browsers. This type of certificates is recognized as a chained root SSL certificate and act as intermediate root certificate. When a user installs the certificate issued on FQDN, he needs to install this intermediate certificate. If this chain is destroyed, browsers will not trust your certificate.
How many certificates one can order?
There is no limit on other types of certificate order.
What is browser compatibility in SSL?
SSL certificates carry more than 99% browser compatibility means their root certificates are installed in major browsers that avoid unwanted SSL warning and offer smooth browsing experience.
What could be budget for SSL certificate?
The price of SSL certificates depend upon its types of validation. Generally, the price varies from $4 to $1200 per year.
What is SSL site seal?
SSL site seal comes at free of cost with legitimate SSL certificate. Site seal offers additional assurance to customers and shows that the website is secured with reliable SSL certificate. Website owner can place it on any web page or every web page where higher assurance is required.
What is SSL padlock?
SSL padlock is a symbol of security that appears in browsers when a user visits SSL secured website. Once a user click on the padlock, he can view the certificate information.
What is Free SSL certificate?
Free SSL certificate is the best option for a newbie who is not aware about different SSL functions & practice. It is given for one-month trial period after which a website owner can go with paid SSL certificate.
What is Wildcard certificate?
Enterprise may have different sub domains so if enterprise purchases individual certificate then it can be costly. Therefore, Wildcard certificate is worth considering option that secures unlimited sub domains with a single certificate as well offers smooth certificate management. For example, *.mydomain.com can secure mail.mydomain.com, sales.mydomain.com, www.mydomain.com. A single asterisk (*) allows enterprise to secure as many sub domains they want. Read More.
What is Extended Validation certificate?
Extended Validation (EV) is also called green bar certificate that carries highest authenticity and offers strong protection over the web. Ecommerce, Banks, financial, payment merchant, social media sites and others prefer EV SSL certificate. It turns browser into green address bar on which the company name is displayed. EV SSL follows a rigorous verification process including checking of physical, legal existence of business. Where higher assurance is needed, EV certificate is an ideal option. Read More.
What is Business Validation certificate?
Business Validation verifies the domain ownership as well proves business identity. Business validation establishes business existence over the web by checking business related documents. Business validation does comply with strong verification than domain validation. Such certificate provides extra level of confidence to customers and visitors. Read more.
Why EV SSL is most trustworthy?
EV (Extended Validation) SSL offers highest trustworthiness to website and customers by complying lengthy and strict validation process. Once you get EV SSL, the address bar turns into green bar that shows company name for additional assurance. Customers put trust in websites that has green address bar. EV SSL also protects users against phishing as legitimate authority has verified the website with rigorous validation. Read More.
How can I enable the Green Bar on my website?
Green Address bar is a sign of highest authentication when a website is secured with extended validation certificate. It shows company name on the green bar that also gives customers and visitors a confidence about website reliability.
Browser is not showing the green padlock/green bar, what to do?
There are numerous reasons responsible for not showing green padlock in browser:
- Perhaps your SSL certificate is issued with old algorithm like SHA-1 algorithm.
- If any HTTP file is served on HTTPS page, then system admin has to update those elements.
- If the intermediate certificate file is invalid or not installed, your browser will not show green bar. You can ask SSL provider to send intermediate certificate.
- If your certificate is expired, self-signed, you can contact SSL provider to solve this issue.
What is SAN SSL certificate?
SAN (subject Alternative Names) is ideal for protection of multiple domains. Enterprise can have higher cost if it goes for purchase of individual certificate, when they have to secure more than one domains. To solve this issue, CAs offers SAN or multi domain certificate that saves cost of an enterprise along with strong encryption. An enterprise can secure up to 100 SANs during certificate lifetime. Read More.
What is a UC Certificate (UCC)?
UCC (Unified Communications Certificate) is ideal for Microsoft Exchange Server 2003/2007/2010/2013, Microsoft Communication Server 2007/2010, Live Communication server 2007 and shared environment. UCC certificate can secure communications on different domains under a single certificate thus the certificate reduces administrative cost.
How many domains can I secure with a Multi-Domain (SAN) SSL Certificate?
Multi Domain certificate is a perfect SSL solution for enterprises that want to secure multiple domains under a single SSL certificate. Different CAs have their own norms regarding SANs limit. For example, Comodo offers up to 100 SANs while GeoTrust offer up to 25 SANs limit with a single SAN certificate.
What is Code Signing certificate?
Code signing certificate secures code of software and allows developers to make their code authenticate. When any code is signed with Code signing certificate, it means the code is not altered since it is signed. The certificate provides trust about software identity and content of the code. Such certificate is ideal with Microsoft Authenticode, Mac OS, Java, Adobe Air, and MS Office. Read More.
What is Self-signed certificate? Why it is untrusted?
Many websites are tempted to use self-signed certificate rather than third party legitimate certificate authority’s certificate. Browsers do not accept self-signed certificate as it is not from legitimate CA. Individual or enterprise who wishes to get the certificate have to create and sign the desired certificate called Self-Signed certificate.
What could be the situation in revocation of SSL certificate?
A certificate revocation means the trusted CAs have canceled the certificate and are no longer trusted now. If SSL certificate is revoked, the browser starts to show warning message while visiting the website. The reasons for certificate revocation may vary like mis-issuance of certificate, counterfeit certificate, and compromise of private key.
How SSL helps SEO?
Google has just announced that HTTPS enabled websites will have higher chance of ranking in search engine. For now, it will affect less than 1% of global queries but over the time, Google will boost it. Thus, SEO (Search Engine Optimization) can take advantage by pushing their little efforts towards their websites and could get high ranking in Google search engine. Moreover, HTTPS website gets higher assurance and trust from customers as a result; there are chances of higher sales in long run.
Why SSL certificate management is Essential?
Once you take SSL for your website, it is necessary to manage it otherwise there may be chance of certificate expiry. Once the certificate is expired, the browser will show a warning of untrusted certificate. An expired certificate may lead to decline in website traffic. SSL certificate management takes care of certificate installation, renewal, updating of certificate information. It is necessary to renew SSL certificate on time to avoid browser warnings.
Why Always-On SSL is required?
Always-On SSL refers to the security of the whole website structure means the first page to the last page of the website is secured with SSL certificate. When you have Always-On SSL, users will feel secure on your website. It also prevents Sidejacking and SSL strip attacks. Always-On SSL helps to increase user trust as every page of your website is secured. Read More.
How browsers verify status of a revoked certificate?
Browsers keep CRL list (certificate revocation list) to check on regular base about revoked certificate. The CA updates CRL list to check any revoked certificate status. In case, if the certificate is canceled or revoked (not expired), the browser shows a warning of untrusted certificate. The CA signs the CRL to avoid certificate tampering.
How ECC algorithm can replace RSA?
ECC is an alternative option of RSA algorithm. ECC carries faster, shorter keys and consumes less computer resources. By the time, the key size increases in order to provide maximum protection, which puts extra burden on computer system. As a result, ECC algorithm came into force that has smaller keys for example; 3072-bit RSA key is equal to 256-bit ECC key. Take a note that both RSA and ECC keys offer the same security.
What FQDN stands for?
FQDN (Fully Qualified Domain Name) refers to common name on which the CA issues the certificate. FQDN comprises both host name and the domain name for example, mymail.yourdomain.com in which host name is “mymail” and the domain name is yourdomain.com.
How Mixed Content error can affect website reliability?
Mixed content error is inevitable error, which means that the website is serving on HTTPS but some files of website like scripts, images; videos are running on HTTP. When your website has mixed content issue, it displays security warning to users. To avoid this error, move all HTTP related files to HTTPS in HTML log. Read More.
What is OpenSSL?
In 1998, OpenSSL project was introduced and it is a software library aims to protect application communication against snooping and sniffing. It also confirms the identity of relevant parties. It allows open source implementation of SSL/TLS protocols and offers free set of encryption tools for the web.
How SSL protects against Phishing?
Phishing is a mimic of the original website, made to fool users and thereby steals their money and credentials. The CA while issuing Extended Validation (EV) SSL authenticates background of organization like physical location, operational and legal existence. Thus, The CA issues SSL certificate to the domain name for which the application was received instead of any fake domain name. Even, EV SSL triggers green color in address bar with company name, which ensures customers that the website is real and legitimate.
What is Vulnerability Assessment?
Vulnerability Assessment helps to identify the weakness in web application, database, servers and network devices. Vulnerability Assessment gives deep insight into threat landscape and simplifies risk management by applying remediation steps. Vulnerability assessment comes at free of cost with Symantec secure site with EV, Symantec secure site pro, and Symantec secure site pro with EV certificate. You can weekly schedule website scan to detect vulnerabilities. After that, you will have actionable report showing critical vulnerabilities with its solution.
What is Norton Secured Seal?
Norton Secured Seal comes at free of cost with Symantec SSL certificates and is mostly displayed seal in the security world. It is believed that around 90% visitors get assurance about the website once they see Norton seal during checkout process. The Norton Secured seal scans for malware and vulnerability and alerts the owner regarding any malicious activities on the website.
What is Symantec Seal-in Search?
Symantec SSL certificates offer Seal-in-search technology that displays as a Norton Secured Seal near the website link displayed in search engine. It helps to increase click-through, sales and conversations. When customers look at the seal, they would likely to deal with the website.
I have accidentally deleted my “private key” what can I do now?
In case of loss of your private key, you can get private key from your backup or you can contact your SSL provider. Otherwise, you can create CSR and reissue your certificate.
Do I need a unique IP-address to install a SSL Certificate?
No, you don’t need a unique IP address for SSL certificate. At present, SNI has mitigated requirement of unique IP address.
I have changed my server/provider, how do I move the certificate?
In case of changing provider/server, you have to export private key and certificate file from old server otherwise, you have to recreate the CSR and reissue the certificate.
Why you should buy SSL certificate from us?
CheapSSLShop is a global SSL provider and deals with reputed SSL certificate authorities (CAs) like Symantec, GeoTrust, Thawte, GlobalSign, Comodo and RapidSSL. We sell SSL certificates at 70% lower price and pass huge discounts to our customers by offering same quality of certificate. Our SSL order process includes easy steps.
What is a Certificate Authority and what is my relationship with them?
Certificate authority (CA) is a trusted body that issues and manages digital certificate to companies, individuals for their online security. CheapSSLShop is global provider of certificates from leading CAs like Comodo, RapidSSL, Thawte, GlobalSign, GeoTrust, and Symantec. CheapSSLShop believe in safe world and strive to fulfill need of online security of diversified businesses.
Can SSL be issued on internal domain?
SSL certificate cannot be issued for internal domain but it can be issued for external FQDN (Fully Qualified Domain Name).
What to do if I have not received my Domain Control Validation (DCV) email?
In case, if you have not received email for Domain Control Validation, you can recheck email address specified while ordering the certificate. You can also check your spam folder for the mail. You can make request to alter registrant email address specified in WHOIS record, or suggest domain based emails like Admin@domain.com, Administrator@domain.com, Hostmaster@domain.com, Postmaster@domain.com, and Webmaster@domain.com.
How to reschedule the phone verification call?
You can contact SSL provider if you missed verification call. You can rearrange the phone call at your available time.
How to update obsolete verified phone number?
If the phone number is outdated, you must contact your SSL provider for further process.
Whom do I send a validation document?
You should send validation document to your SSL provider as the CA has to verify the documents.
What does Failed Security Review mean?
The certificate authority has automatic system that verifies the details of certificate requester for any fraudulent purpose. If any information is found against CA’s defined terms or similar with company names, the certificate authority shows Failed Security Review.
I haven’t received the certificate after validation competition?
First, you should check your spam folder for received certificate or you can check store account where you can download issued certificate.
My CSR is not looking perfect, what should I do?
You have to regenerate the CSR if it has something incorrect.
How do I change wrong common name?
If you have enrolled the certificate on wrong common name then you have to regenerate the CSR and reissue the SSL certificate with right common name.
In case of “private key” is deleted, what should I do?
In case of deletion of Private Key, you have to regenerate the CSR and reissue the SSL certificate.
How to install SSL certificate on more than one server?
To install SSL certificate on multiple server, you can import private key, intermediate certificate and primary certificate on new servers. Otherwise, you can generate the CSR on new servers along with private key and reissue the current SSL certificate.
How to renew SSL certificate?
When you renew your SSL certificate prior to expiry date, your remaining time will be added to new renewal certificate. The process for renewal is the same as you did while ordering new SSL certificate. You can renew certificate for up to 3 years.
Do I need to create a new CSR at the time of SSL certificate renewal?
You can use old CSR with the same private key but it seems security disadvantage. To avoid this issue, you should generate a new CSR to renew a certificate.