In the early days of the internet, all website requests and responses were transferred in “plain text.” This meant they were potentially viewable by digital eavesdroppers, making it risky to transmit things like login credentials, credit card numbers, and other sensitive personal information.
In the mid-’90s, Netscape developed a security protocol for encrypting confidential information for delivering and transferring web content. This protocol was called SSL (Secure Sockets Layer), and would later evolve into another protocol called TLS (Transport Layer Security).
While SSL and TSL differ in terms of their capabilities and architecture, they both provide security through the use of a digital technology called an SSL certificate.
What is an SSL certificate?
An SSL certificate is a digital certificate that authenticates the identity of a website and creates an encrypted connection between a website and a browser. An SSL certificate is sometimes called an “SSL/TLS certificate” or simply a “cert.”
SSL certificates protect the identity of the remote connection and make online interactions private, ensuring that no one can read or modify content shared over the secure connection except the sender and recipient. An SSL certificate acts like a passport to verify the identity of the website owner, and like a key to keep user data secure via strong encryption.
What is an SSL certificate authority (CA)?
SSL certificates are issued by organizations called certificate authorities. A CA is a trusted third-party organization that guarantees the identity of a website. They are trusted because they are few in number, well known, and must clear high barriers to entry. There are just over 100 certificate authorities worldwide, and they are audited to be included as a trusted root by the vendors of web browsers and operating systems.
Before issuing a certificate, the CA verifies the certificate requester’s information, like site ownership, name, location, and more, according to established industry standards. The CA also digitally signs the certificate with their own private key, enabling clients to verify it. For providing this service, most CAs charge a small annual fee (although free SSL certs are available from some web hosts and nonprofit CAs).
The actual SSL certificate is a small digital file, typically a few kilobytes, that is installed on the server supporting TLS and shared with others. This file contains:
- The domain name of the site for which the cert was issued
- The organization to which it was issued (the certificate holder)
- The name of the issuing certificate authority
- The certificate authority’s digital signature
- Any associated subdomains
- The certificate issue date and expiration date
- The public key (note: The private key is not shared)
Whenever you use a browser to connect to a URL beginning with “https,” or see a green padlock icon in the browser address bar, you know that you have a secure TLS connection verified by an SSL certificate issued by a CA. Clicking on the padlock icon will display additional information about the SSL certificate, the domain owner, and the connection.
While this padlock means that your connection to the site is secure, it does not necessarily mean that the site is safe to use. That is, just because you can connect securely to a site doesn’t mean it’s not controlled by nefarious actors.
How does an SSL certificate work?
A SSL certificate uses encryption algorithms to scramble data in transit. This ensures that any data transferred between a browser and a website remains impossible for a third party to read.
Secure communication over TLS relies on two certificates—one public, and one private—to create the secure connection.
When a browser attempts to connect to a website secured with TLS, that communication is established by a “handshake,” or back-and-forth communication that only takes a few milliseconds. The steps in this handshake are:
- The client (browser) connects to the SSL-secured website (server).
- The client asks the server to identify itself.
- The server sends over a copy of its SSL certificate.
- The client examines the SSL certificate for trustworthiness and signals to the server if it passes.
- The server initiates a digitally signed agreement to start an SSL-encrypted session.
- Encrypted data now flows freely and safely between the browser and the server.
The initial handshake happens using asymmetric encryption, based on public and private keys. After validation, the client and server exchange temporary private keys, used only for the session. This allows for more efficient encryption and decryption.
Types of SSL certificates
To get the most out of SSL, you’ll want to choose the right SSL certificate. There are three types of standard SSL certificate:
- Domain validated (DV) certificate
- Organization validated (OV) certificate
- Extended validation (EV) certificate
Different SSL certificates serve different purposes, and have different costs.
Domain-validated (DV) certificate
Cost: $0–$99 per year
A DV SSL certificate involves a minimal, automated identity verification, establishing only that the owner has control over the domain or subdomain. This is usually accomplished by email.
A DV SSL certificate is the least expensive way to obtain a cert, and most free SSL certificates are of this type. However, it represents the lowest standard of website security. DV certificates are useful for blogs, individual websites, small businesses, or any site with the most basic security needs.
Organization-validated (OV) certificate
Cost: $100–$999 per year
An OV SSL certificate offers a stronger guarantee of the identity of the bearer. In order to obtain an OV certificate, the purchaser must pass nine validation checks.
This is a mid-level business certificate, and the issuing CA guarantees that the organization affiliated with the certificate is valid and in good standing. This is a good approach for businesses not conducting financial or ecommerce transactions through their site.
Extended validation (EV) certificate
Cost: $1,000+ per year
An EV SSL certificate represents the highest level of identity verification, most suitable for corporations, financial entities, and ecommerce websites. Sixteen validation checks are involved, including both legal identity and physical location.
The end user sees a green browser bar, indicating the highest level of verification, as well as additional corporate information behind the padlock.
What if you need to secure multiple domains?
A single SSL certificate secures a single domain name. However, many businesses need a solution that secures multiple domain names or subdomains. For these businesses, the SSL protocol provides two different solutions: a wildcard SSL certificate, or a multi-domain SSL certificate.
Wildcard SSL certificate
Cost: varies
Some businesses use multiple subdomains (e.g., mail.example.com, shop.example.com) to serve different functions on the same website. For these organizations, the best SSL solution is typically a wildcard SSL certificate. A wildcard SSL certificate secures a website’s primary domain, as well as any associated subdomains, reducing costs and simplifying administration.
Multi-domain SSL certificate
Cost: varies
While wildcard SSL certificates help a website owner secure subdomains within a single domain, multi-domain SSL certificates (MDC) can be used to secure multiple domain names at once. Additional domains can be added to a multi-domain cert via “subject alternative names” (SANs) without the need to acquire an additional single-domain SSL certificate. Multi-domain SSL certificates are sometimes known as unified communications certificates (UCC).
How to get an SSL certificate
The process of acquiring single- or multi-domain SSL certificates and securing user data on your website can be complex. Here’s how to do it.
- Determine the level of website security you need. Choose between DV, OV, or EV SSL. (If you have multiple domains or subdomains, you may need to add or substitute a wildcard or MDC cert.) Review your organizational needs and budget and choose the level of identity verification appropriate.
- Determine the domains and subdomains to be supported. If you have only one, you may not need to obtain a wildcard certificate.
- Choose a certificate authority/provider. For lower-end needs, you may just need to work with your web hosting provider and obtain a free cert. Multi-domain and EV certs will involve a paid relationship with a certificate authority. Shop around.
- Request a certificate from your chosen SSL provider. This generally involves filling out web forms and making payments.
- Verify ownership and other details. The CA will follow up to verify the information you submitted in your application, at a minimum requiring email verification of domain ownership.
- Obtain and install the certificate. This step depends on the CA you choose and your web platform. Generally, you will download a ZIP file containing three keys: the public key, the private key, and a certificate authority bundle. If you are working with a commercial web host, the administration console for your site will usually include tools for certificate installation. If you are working on your own hardware, closer to the operating system and web server, then follow the documentation for that environment.
- Configure other apps to use the certificate. If you intend to support SSL connections to other applications on your servers (e.g., WordPress, email, etc.), you will need to configure them to use your certificate and the TLS protocol.
- Confirm your secure connection is working. Connect to your website and/or other apps and ensure that you have a secure connection. Click on the padlock and review the information displayed in your browser.
- Submit your site(s) to search engines. Your new “https” websites are distinct from your old “http” sites. If your users rely on search engines to find you, you will need to re-submit your new https web address to those engines for indexing.
SSL certificate FAQ
Is an SSL certificate necessary?
An SSL certificate is necessary for any website requiring users to enter personal information. Even if your site isn’t handling sensitive data, SSL certificates are highly recommended: search engines penalize websites without them, and browsers warn users of unsecure websites, resulting in lost traffic.
How do I get an SSL certificate?
- Determine the level of security required.
- Determine the domains and subdomains to be supported.
- Choose a certificate authority/provider.
- Request the certificate from the chosen provider.
- Verify domain ownership and other criteria.
- Obtain and install the certificate.
What is the difference between SSL and TLS?
Transport Layer Security (TLS) is the successor to SSL. Although TLS offers some improvements over SSL, the terms are often used interchangeably. Both protocols work in the same way, using encryption to secure the transfer of data between sender and recipient.
What types of SSL certificates are there?
- Domain-validated (DV) certificate
- Organization-validated (OV) certificate
- Extended validation (EV) certificate
- Wildcard SSL certificate
- Multi-domain SSL certificate (MDC)