De-mystifying SSL Certificates
What is SSL?
SSL stands for “Secure Sockets Layer.” It is a protocol for encrypting information that travels between a web server and a browser. The web server has two keys: A Private Key and a Public Key. Both keys are needed to un-encrypt any encrypted message. The public key is just that – public. When you purchase an SSL certificate, the Certification Authority will ask you for a CSR (Certificate Signing Request) in order to generate your certificate. The CSR is issued by your hosting company (if you’re on a shared server) and this contains the Public Key. After the Certification Authority generates a certificate, based on your CSR, and validates your other details, it will issue a certificate that is matched to your Private Key. A certificate contains:
- domain name
- company name
- expiration date
- identity of the Certification Authority that issued the certificate
When a browser attempts to access a site that is secure, it will check that the certificate has not expired, that the Certification Authority is trusted, and that the domain in the certificate matches the domain the user is trying to visit. If anything doesn’t match, the browser will typically flag the user with some kind of warning message or prevent the user from accessing the site. Ever seen something like this?
Why use an SSL Certificate?
When do you need an SSL Certificate?
If your site is storing sensitive information about customers and/or if your site processes financial transactions, you need a security certificate. If your site asks for any kind of credit card information, it definitely must be secured. If not, a security certificate is not necessary. As an aside, if you ever visit a website that asks for your credit card information and it does not say “https” in the URL, it is NOT safe to process the transaction and you should leave the site without entering payment information.
Where can you purchase an SSL Certificate?
You can purchase an SSL from a hosting company that also offers security services, such as GoDaddy. It is definitely easiest to set up a security certificate using the hosting company, if that choice is available to you, because the set up process is typically pretty seamless. If you use a hosting company, such as Rackspace Cloud, that does not have authority to issue certificates, you must purchase one from a third-party and install it.
The following websites are just a few of the available Certification Authorities:
Here at Lucid, we typically use RapidSSL, but any of these Certification Authorities are trusted.
How do I purchase an SSL?
To get an SSL certificate, simply purchase one from a Certification Authority. The first portion of the purchase form is easy – the Authority will ask you for simple information such as:
- domain name
- technical contact info
Eventually, you will need to prove that you are the owner of the domain in question, and thus have the right to purchase the certificate. This is where things can get tricky – The Certification Authority will do a Who-Is lookup for the domain to determine the identity of the registered domain owner on file. An email will then be sent to the email address on file, and this confirmation must be retrieved before the purchase is complete. This step can be difficult if you are unsure who owns the email address on file. Things can be further complicated if the domain is registered privately, in which case there is no way to look up the registered domain owner via the domain registrar.
How do I install and SSL?
Once it’s been purchased, the certificate must be installed on the website server. Installing typically will require a developer’s assistance. Simply provide the developer with the certificate (which is typically emailed to the technical contact along with the purchase receipt) by the Certification Authority, and the developer will install it from there. Instructions will vary by Certificate Issuer and hosting server, but if interested, visit this link to read instructions from RapidSSL Instructions typically vary for Microsoft IIS and TOMCAT users.
An experienced developer may also install a security certificate directly on a non-shared server. The steps for this are below:
1. Setup directory to store certificate
2. Generate new key:
openssl genrsa -des3 -out www.domain.com.key 2048
3. Generate new CSR
openssl req -new -key www.domain.com.key -out www.domain.com.csr
4. Submit CSR to SSL Certificate Registrar
5. Create certificate file and paste certificate key value:
6. Update Virtual Host file:
Add Listener for port 443: Port 443 is the port for HTTPS connections, so this needs to be open.
ServerAdmin [email protected]
CustomLog /var/www/domain.com/logs/access.log combined
7. Restart Apache and enter key passphrase if asked:
sudo apachectl -k restart