In my previous publication which was posted sometime back, I explained a few important security concepts for your web service. Here I am explaining on how to apply those security measures to your website to provide a more secure user experience.
So now you should be familiar with terms SSL and TLS and how important are those for an enterprise level product. Here comes another important term, certificate.
What the heck are these digital SSl certificates?
Certificates are required to initialize a secure SSL/TLS connections between your web browsers and web servers. All the magic we discussed here is embedded in these certificates and should be installed in all the nodes of the communication channel to convert it to an encrypted secure medium. So these digital certificates are used for sharing keys, that is used for public key encryption and authentication of digital signatures.
Types of SSL Certificates by Validation Level
1. Domain Validation
The Certificate Authority (CA) checks the right of the applicant or organization to use a specific domain name. While you can be sure that your information is encrypted, you cannot be sure who is truly at the receiving end of that information.
2. Organization Validated SSL Certificates
The CA checks the right of the applicant to use a specific domain name plus it conducts some evaluation of the organization. So this will give an enhanced visibility into who is behind the site and associated enhanced trust.
3. Extended Validation Certificate
The CA checks the right of the applicant to use a specific domain name plus, it conducts a thorough background check of the organization. This will be carried out according to a standard procedure ratified by the CA/Browser forum in 2007.
You can read more on this at https://www.globalsign.com/en/ssl-information-center/types-of-ssl-certificate
Types of SSL Certificates by Number of Domains
1. Single domain
This certificate allows to secure a single domain name. If you only have a website without subdomains, this type of certificate is adequate.
Example : www.wildlife.com
2. Wildcard: unlimited subdomains
This certificate allows to secure a domain name and all its subdomains. If your website is destributed on several of your subdomains, this type of certificate allows you to secure your entire platform with a single certificate.
Example : www.birds.wildlife.com, www.reptiles.wildlife.com
3. Multi-domains: multiple domain names
Multi-domain certificates or Server Alternative Name (SAN) are used to secure multiple domain names. These certificates are ideal for securing multiple names across different domains and subdomains. If you have different websites this is the simplest option as you use only one certificate.
Example : www.wildlife.com, www.ceylonwildlife.lk, www.birds.wildlife.com
How to get your certificate ?
Now you understand that SSL certificates are required to run your web sites using the HTTPS protocol. For enterprise level websites, you usually buy such a certificate from Verisign, Thawte or any other SSl certificate vendor. SSL certificates use a chain of trust, where each certificate is signed (trusted) by a higher, more credible certificate. At the top of the chain of trust are the root certificates, owned by Verisign and others. These certificates are typically shipped with your operating system or web browser.
- In your web browser,
when you visit a website over HTTPS (eg : facebook ), your web browser will receive the ssl certificate for the web site. It will examine the contents of the certificate to see that is indeed valid for the domain name you are trying to visit. After that, it will verify the chain of trust. It will look at who has signed the certificate. If that certificate is a root-certificate, it will compare it against the ones shipped with the operating system. If it is a non-root certificate, it will follow the chain of trust up one more level.
- Self-signed certificates,
when using a self-signed certificate, there is no chain of trust. The certificate has signed itself. The web browser will then issue a warning, telling you that the website certificate cannot be verified. Therefore, you should not use self-signed certificates for professional use, as your visitors will not trust your web site to be safe. But since you can generate these certificates by yourself at zero cost, you can use these certificates inside your internal network if no other partners are connected to your system. But this certificate quickly become unmanageable if you have many clients and services that need to communicate with each other.
- Internal CA signed certificates
This is a certificate that you issue yourself using an internal CA that you can setup for your intranet. This type of certificate can be used if your services are mostly internal only. But you need to ensure that all clients have the internal CA root certificate imported into their trust-store.
- External CA signed certificates
These are certificates that has been issued by a reputable CA such as Verisign and Entrust.net. This type of certificate should be used if your services are external facing. In most cases, clients are already set up to trust these external CAs. Therefore, those clients do not have to modify their trust-store. You do not have any control over the certificate issuance process.
Let’s create our SSl certificate in my next medium post.