SSL Certificate FAQs
SSL certificates are a great medium to solve issues of threat, spying, sniffing, and phishing activities as they authenticate and protect ongoing information between two ends (user browser and web server). However, many newbies have little knowledge about SSL practices, so keeping this in mind, we have listed FAQs (Frequently Asked Questions) that generally strike an individual's mind when anyone wants to know about SSL certificates.
What is SSL?
SSL (secure socket layer) is a protocol designed to protect online information over the web. Encryption technology works on public key infrastructure (public and private key). SSLv3.0 was in practice but deprecated in 2015 due to vulnerability, and TLS was introduced. TLS1.0, TLS1.1, TLS1.2, and TLS1.3 versions have been in practice. The current version is TLS1.3 which was published in 2018.
What is SSL certificate?
SSL certificate is also called a public key identity certificate generally issued by a legitimate certificate authority. The main object of the SSL certificate is to create a secure channel between the user's browser and the web server through which the exchange of data occurs. SSL certificate secures sensitive information like credit card numbers, social security numbers, and login details in a secure environment. Thus, it establishes trust among customers and assures them to carry out online transactions with strong encryption support. CAs issue SSL certificates after checking the required information of an SSL applicant.
Why do I need an SSL certificate?
The information traveling between the browser and the server remains in plain text and third party or hackers can easily intercept the information. To avoid this hurdle, SSL can be a helpful protocol that encrypts ongoing information between two endpoints like the browser and the server hence; the third party cannot sniff the data. Thus, if you are online business owner then, your website must have SSL to protect sensitive information of clients and customers. Read More.
What is the role of Encryption in SSL?
Encryption plays an essential role in SSL that uses the SHA-2 hash algorithm. The SHA-2 family includes hash values like SHA-224, 256, 384, and 512. Earlier, SHA-1 was in force, but somehow it seemed a weak algorithm against attacks. Currently, most certificate authorities offer SHA-256 encryption for the online security of transactions. The more robust encryption you use, the more your information is secured. It is because encryption creates a secure channel through which sensitive information passes.
What is encryption strength?
At present, SHA-256 is used mainly in SSL certificates. Earlier, encryption was 128-bit, but now it was a weak algorithm and replaced by 256 bit encryption.
What is the importance of authenticity, integrity and encryption in SSL?
SSL certificate stands on three principles: Authenticity, Integrity, and Strong Encryption.
Authenticity: Authenticity refers to an authenticated third party that verifies the information contained in the SSL certificate.
Integrity: Integrity refers to data integrity means the data that moves between the user's browser and the server remains intact and safe.
Encryption: Strong encryption is the backbone of any SSL certificate that works on key pairs like public and private keys. The public key encrypts the information while the private key decrypts the information.
What is Asymmetric encryption?
Witfield Diffie & Martin Hellman are researchers who proposed asymmetric encryption in 1977. Asymmetric encryption, also called public-key cryptography, works on two keys. One key, termed public key, is used to encrypt the information, whereas another key named private key is used to decrypt the information.
What is Symmetric encryption?
Symmetric encryption is the hoariest technique of encryption. In this method, the sender and receiver share a single key for encryption and decryption of data. Symmetric encryption is simple and faster, but the key is exchanged securely as both parties share the secret to keep information private. Therefore, Symmetric encryption is also named secret key algorithm. However, the main limitation of symmetric encryption is to share a key in a secure environment. Therefore, public-key cryptography (Asymmetric encryption) was introduced to avoid this.
What types of SSL certificates are available?
Every business has different web security needs, and therefore, certificate authorities have a bunch of SSL certificates. Domain Validation, Business Validation, Extended Validation, SAN, Code Signing, and Wildcard SSL certificate are available in the SSL industry.
What is maximum validity SSL certificate holds?
According to CA/browser forum guidelines, an SSL certificate can be issued for 13 months (397 days). But SSL certificates are issued yearly; therefore, the SSL provider offers up to five years of validity.
How SSL order purchase works?
You can order an SSL certificate from CA or the reseller website. SSL order process is a simple process that includes steps like:
- Choose SSL product you wish to buy or renew
- Now, provide technical and contact information
- Provide payment details and complete the process
- Submit CSR details while ordering an SSL certificate
- Finally, you will get email contains SSL Certificate and site seal file
- Install on your server
What is Validation in SSL?
Validation is a crosschecking process done by a certificate authority (CA), and it depends on the type of certificate request. Before approving the application of an SSL seeker/ website owner, the CA verifies domain ownership that extent to checking of government records legal and business documents of an SSL applicant. After verifying the details, the CA issues an SSL certificate to the website owner.
What is public key?
Public key is a part of Public Key Infrastructure (PKI) and encrypts the information that travels between the browser and the server. A public key is included in the SSL certificate and shared among web browsers.
What is private key?
Private Key is a part of Public Key Infrastructure (PKI) used to decrypt the earlier encrypted information with Public Key. Private Key remains on the server and is never shared with anyone.
What is the CSR?
CSR (Certificate Signing Request) is a block of ciphertext created on the server. While ordering an SSL certificate, send CSR to the certificate authority. Before generating the CSR, the SSL applicant must create key pair (public and private key) and keep the private key secret. The CSR includes information like FQDN name (for example, mydomain.com), business/organization, town/city, organization unit, email address, country.
Why the CSR is generated?
The role of CSR (certificate signing request) is essential in getting an SSL certificate. CSR generation includes organization address, location, desired common name, state, organization department, etc. The CA considers that details while issuing an SSL certificate.
What is role of SSL warranty?
An SSL certificate is issued after checking an existing business's background. However, if the certificate authority mis-issues the certificate to the wrong entity, an SSL warranty can offer financial protection against such mis-issuance. Warranty amount of SSL varied up to $1750K amount for various SSL certificates.
What is root certificate?
The root certificate is a part of public key infrastructure and is issued by the trusted root certificate authority. A certificate authority issues multiple certificates in a tree structure, and the root certificate is on the top of this structure. The private key of a root certificate signs other certificates. All other certificates (intermediate certificates) rely on the trustworthiness of a root certificate. All operating systems and browsers have trusted root Certificates.
What is intermediate certificate?
The intermediate certificate works as a substitute for the root certificate. CAs keep keys of root certificate secret to hide from attackers and use the intermediate certificate to sign SSL certificates. If the root certificate is compromised, the whole certificate structure will be useless. An intermediate certificate is placed between the root certificate and the issued SSL certificate. Thus, it creates a chain of trust that starts from root certificate travel through intermediate certificate and ends its cycle with an issued SSL certificate.
What is Chained root?
Some certificate authorities do not have a Trusted Root CA certificate embedded in browsers. In this situation, Trusted Root CA issues a certificate to such third-party certificate providers to let browsers recognize their certificates. This certificate is recognized as a chained root SSL certificate and acts as an intermediate root certificate. When a user installs the certificate issued on FQDN, he needs to install this intermediate certificate. If this chain is destroyed, browsers will not trust your certificate.
How many certificates one can order?
There is no limit on other types of certificate orders.
What is browser compatibility in SSL?
SSL certificates carry more than 99% browser compatibility means their root certificates are installed in major browsers to avoid unwanted SSL warnings and offer a smooth browsing experience.
What could be budget for SSL certificate?
The price of SSL certificates depends upon their types of validation. Generally, the price varies from $5.00 to $927.20 per year.
What is SSL site seal?
SSL site seal comes free of cost with a legitimate SSL certificate. Site seal offers additional assurance to customers and shows that the website is secured with a reliable SSL certificate. The website owner can place it on any web page or page where higher assurance is required.
What is SSL padlock?
SSL padlock is a security symbol that appears in browsers when a user visits an SSL secured website. Once a user clicks on the padlock, view the certificate information.
What is Free SSL certificate?
A free SSL certificate is the best option for a newbie unaware of different SSL functions & practices. It is given for a one-month trial period, after which a website owner can go with paid SSL certificate.
What is Wildcard certificate?
The enterprise may have different subdomains, so it can be costly if the enterprise purchases individual certificates. Therefore, Wildcard certificate is worth considering an option that secures unlimited subdomains with a single certificate and offers smooth certificate management. For example, *.mydomain.com can secure mail.mydomain.com, sales.mydomain.com, www.mydomain.com. A single asterisk (*) allows an enterprise to secure as many subdomains they want.
What is Extended Validation certificate?
Extended Validation (EV) is also called green bar certificate that carries the highest authenticity and offers robust protection over the web. Ecommerce, Banks, financial, payment merchants, social media sites, and others prefer EV SSL certificates. It turns a browser into a green address bar on which the company name is displayed. EV SSL follows a rigorous verification process, including checking the physical legal existence of the business. Where higher assurance is needed, an EV certificate is an ideal option.
What is Business Validation certificate?
Business Validation verifies the domain ownership as well as proves business identity. Business validation establishes business existence over the web by checking business-related documents. Business validation does comply with robust verification than domain validation. Such a certificate provides an extra level of confidence to customers and visitors.
Why EV SSL is most trustworthy?
EV (Extended Validation) SSL offers the highest trustworthiness to websites and customers by complying lengthy and strict validation process. Once you get EV SSL, the address bar turns into a green bar that shows the company name for additional assurance. Customers put trust in websites that have a green address bar. EV SSL also protects users against phishing as the legitimate authority has verified the website with rigorous validation.
How can I enable the Green Bar on my website?
The Green Address bar signifies the highest authentication when a website is secured with an extended validation certificate. In addition, it shows the company name on the green bar, giving customers and visitors confidence about website reliability.
Browser is not showing the green padlock/green bar, what to do?
There are numerous reasons responsible for not showing a green padlock in the browser:
- Perhaps your SSL certificate is issued with an old algorithm like the SHA-1 algorithm.
- If any HTTP file is served on an HTTPS page, the system admin must update those elements.
- If the intermediate certificate file is invalid or not installed, your browser will not show a green bar. You can ask the SSL provider to send the intermediate certificate.
- If your certificate is expired self-signed, you can contact the SSL provider to solve this issue.
What is SAN SSL certificate?
SAN (Subject Alternative Names) is ideal for protecting multiple domains. However, the enterprise can have higher costs if it purchases individual certificates when they have to secure more than one domain. To solve this issue, CAs offers SAN or multi-domain certificate that saves an enterprise's cost and strong encryption. An enterprise can secure up to 100 SANs during certificate lifetime.
What is a UC Certificate (UCC)?
UCC (Unified Communications Certificate) is ideal for Microsoft Exchange Server 2003/2007/2010/2013, Microsoft Communication Server 2007/2010, Live Communication server 2007, and shared environment. UCC certificate can secure communications on different domains under a single certificate; thus, the certificate reduces administrative costs.
How many domains can I secure with a Multi-Domain (SAN) SSL Certificate?
The multi-Domain certificate is a perfect SSL solution for enterprises that want to secure multiple domains under a single SSL certificate. However, different CAs have their norms regarding SANs limits. For example, Comodo offers up to 100 SANs, while GeoTrust offers 25 SANs with a single SAN certificate.
What is Code Signing certificate?
Code signing certificate secures software code and allows developers to make their code authenticate. When any code is signed with the Code signing certificate, the code is not altered since it is signed. The certificate provides trust about the software identity and content of the code. Such certificate is ideal with Microsoft Authenticode, Mac OS, Java, Adobe Air, and MS Office.
What is Self-signed certificate? Why it is untrusted?
Many websites are tempted to use self-signed certificates rather than third-party legitimate certificate authority's certificates. However, browsers do not accept the self-signed certificate as it is not from a legitimate CA. Therefore, individuals or enterprises who wish to get the certificate have to create and sign the desired certificate called a Self-Signed certificate.
What could be the situation in revocation of SSL certificate?
A certificate revocation means the trusted CAs have canceled the certificate and are no longer trusted now. If the SSL certificate is revoked, the browser shows a warning message while visiting the website. The reasons for certificate revocation may vary, like mis-issuance of the certificate, counterfeit certificate, and compromise of the private key.
How SSL helps SEO?
Google has just announced that HTTPS-enabled websites will have a higher chance of ranking in search engines. For now, it will affect less than 1% of global queries, but over time, Google will boost it. Thus, SEO (Search Engine Optimization) can take advantage by pushing their little efforts towards their websites and could get a high ranking in Google search engine. Moreover, the HTTPS website gets higher assurance and trust from customers; there are chances of higher sales in the long run.
Why is SSL certificate management Essential?
Once you take SSL for your website, it is necessary to manage it; otherwise, there may be a chance of certificate expiry. Once the certificate is expired, the browser will show an untrusted certificate warning. An expired certificate may lead to a decline in website traffic. SSL certificate management takes care of certificate installation, renewal, updating of certificate information. It is necessary to renew the SSL certificate on time to avoid browser warnings.
Why is Always-On SSL required?
Always-On SSL refers to the security of the whole website structure means the first page to the last page of the website is secured with an SSL certificate. When you have Always-On SSL, users will feel secure on your website. It also prevents Sidejacking and SSL strip attacks. Therefore, Always-On SSL helps increase user trust as every website page is secured.
How do browsers verify the status of a revoked certificate?
Browsers keep the CRL list (certificate revocation list) to check regularly about revoked certificates. The CA updates the CRL list to check any revoked certificate status. If the certificate is canceled or revoked (not expired), the browser shows a warning of the untrusted certificate. The CA signs the CRL to avoid certificate tampering.
How can the ECC algorithm replace RSA?
ECC is an alternative option of the RSA algorithm. ECC carries faster, shorter keys and consumes fewer computer resources. However, the key size increases to provide maximum protection by the time the key size increases, which puts an extra burden on the computer system. As a result, the ECC algorithm came into force with more minor keys; for example, the 3072-bit RSA key is equal to the 256-bit ECC key. Take note that both RSA and ECC keys offer the same security.
What does FQDN stand for?
FQDN (Fully Qualified Domain Name) refers to the common name on which the CA issues the certificate. FQDN comprises both the hostname and the domain name, for example, mymail.yourdomain.com, in which hostname is "my mail" and the domain name is yourdomain.com.
How can Mixed Content error affect website reliability?
Mixed content error is an inevitable error, which means that the website is serving on HTTPS, but some website files like scripts, images, videos are running on HTTP. When your website has mixed content issues, it displays security warnings to users. Move all HTTP-related files to HTTPS in the HTML log to avoid this error.
What is OpenSSL?
In 1998, the project OpenSSL was introduced, and it is a software library that aims to protect application communication against snooping and sniffing. It also confirms the identity of relevant parties. Furthermore, it allows open-source implementation of SSL/TLS protocols and offers a free set of encryption tools for the web.
How does SSL protect against phishing?
Phishing is a mimic of the original website, made to fool users and steal their money and credentials. While issuing Extended Validation (EV) SSL, the CA authenticates the background of an organization like physical location, operational and legal existence. Thus, The CA issues an SSL certificate to the domain name for which the application was received instead of any fake domain name. Furthermore, even EV SSL triggers green color in the address bar with the company name, ensuring that the website is authentic and legitimate.
What is a Vulnerability Assessment?
Vulnerability Assessment helps identify the weakness in a web application, database, servers, and network devices. Vulnerability Assessment gives deep insight into the threat landscape and simplifies risk management by applying remediation steps. Vulnerability assessment comes free of cost with DigiCert secure site with EV, DigiCert secure site pro, and DigiCert secure site pro with EV certificate. You can weekly schedule website scan to detect vulnerabilities. After that, you will have an actionable report showing critical vulnerabilities with its solution.
What is Norton Secured Seal?
Norton Secured Seal comes free of cost with DigiCert SSL certificates and is mostly displayed seal in the security world. It is believed that around 90% of visitors get assurance about the website once they see the Norton seal during the checkout process. The Norton Secured seal scans for malware and vulnerability and alerted the owner regarding any malicious activities on the website.
I have accidentally deleted my "private key" what can I do now?
In case of loss of your private key, you can get a private key from your backup or contact your SSL provider. Otherwise, you can create CSR and reissue your certificate.
Do I need a unique IP address to install an SSL Certificate?
No, you don’t need a unique IP address for SSL certificate. At present, SNI has mitigated requirement of a unique IP address.
I have changed my server/provider; how do I move the certificate?
In changing provider/server, you have to export the private key and certificate file from the old server; otherwise, you have to recreate the CSR and reissue the certificate.
Why should you buy an SSL certificate from us?
CheapSSLShop is a global SSL provider and deals with reputed SSL certificate authorities (CAs) like DigiCert, GeoTrust, Thawte, GlobalSign, Comodo, and RapidSSL. We sell SSL certificates at a 70% lower price and pass considerable discounts to our customers by offering the same certificate quality. Our SSL order process includes easy steps.
What is a Certificate Authority, and what is my relationship with them?
A certificate authority (CA) is a trusted body that issues and manages digital certificates to companies individuals for their online security. CheapSSLShop is a global provider of certificates from leading CAs like Comodo, RapidSSL, Thawte, GlobalSign, GeoTrust, and DigiCert. CheapSSLShop believes in a safe world and strives to fulfill the need for diversified businesses' online security.
Can SSL be issued on the internal domain?
SSL certificate cannot be issued for the internal domain, but it can be issued for external FQDN (Fully Qualified Domain Name).
If I have not received my Domain Control Validation (DCV) email, what to do?
If you have not received an email for Domain Control Validation, you can recheck the email address specified while ordering the certificate. You can also check your spam folder for the mail. You can request to alter the registrant email address specified in the WHOIS record or suggest domain-based emails like Admin@domain.com, Administrator@domain.com, Hostmaster@domain.com, Postmaster@domain.com, and Webmaster@domain.com.
How to reschedule the phone verification call?
You could contact the SSL provider if you missed the verification call. You can rearrange the phone call at your available time.
How to update obsolete verified phone numbers?
If the phone number is outdated, you must contact your SSL provider for further process.
To whom do I send a validation document?
You should send validation documents to your SSL provider as the CA must verify the documents.
What does Failed Security Review mean?
The certificate authority has an automatic system that verifies the details of the certificate requester for any fraudulent purpose. For example, if any information is found against CA's defined terms or similar company names, the certificate authority shows Failed Security Review.
Haven't I received the certificate after the validation competition?
First, you should check your spam folder for a received certificate or check the store account to download the issued certificate.
My CSR is not looking perfect; what should I do?
You have to regenerate the CSR if it has something incorrect.
How do I change the wrong common name?
If you have enrolled the certificate on the wrong common name, you have to regenerate the CSR and reissue the SSL certificate with the correct common name.
In case of "private key" is deleted, what should I do?
In case of deleting the Private Key, you have to regenerate the CSR and reissue the SSL certificate.
How to install an SSL certificate on more than one server?
To install an SSL certificate on multiple servers, you can import a private key, intermediate certificate, and primary certificate on new servers. Otherwise, you can generate the CSR on new servers and private keys and reissue the current SSL certificate.
How to renew an SSL certificate?
When you renew your SSL certificate before the expiry date, the left time is added to the new renewal certificate. The process for renewal is the same as you did while ordering a new SSL certificate.
Do I need to create a new CSR at the time of SSL certificate renewal?
You can use old CSR with the same private key, but it seems to have a security disadvantage. You should generate a new CSR to renew a certificate to avoid this issue.