What the heck are these SSL certificates?

In my previous publication which was posted sometime back, I explained a few important security concepts for your web service. Here I am explaining on how to apply those security measures to your website to provide a more secure user experience.

So now you should be familiar with terms SSL and TLS and how important are those for an enterprise level product. Here comes another important term, certificate.

Image result for SSl certificates
A https secured web service

What the heck are these digital SSl certificates?

Types of SSL Certificates by Validation Level

The Certificate Authority (CA) checks the right of the applicant or organization to use a specific domain name. While you can be sure that your information is encrypted, you cannot be sure who is truly at the receiving end of that information.

2. Organization Validated SSL Certificates

The CA checks the right of the applicant to use a specific domain name plus it conducts some evaluation of the organization. So this will give an enhanced visibility into who is behind the site and associated enhanced trust.

3. Extended Validation Certificate

The CA checks the right of the applicant to use a specific domain name plus, it conducts a thorough background check of the organization. This will be carried out according to a standard procedure ratified by the CA/Browser forum in 2007.

You can read more on this at https://www.globalsign.com/en/ssl-information-center/types-of-ssl-certificate

Types of SSL Certificates by Number of Domains

This certificate allows to secure a single domain name. If you only have a website without subdomains, this type of certificate is adequate.
Example : www.wildlife.com

2. Wildcard: unlimited subdomains

This certificate allows to secure a domain name and all its subdomains. If your website is destributed on several of your subdomains, this type of certificate allows you to secure your entire platform with a single certificate.
Example : www.birds.wildlife.com, www.reptiles.wildlife.com

3. Multi-domains: multiple domain names

Multi-domain certificates or Server Alternative Name (SAN) are used to secure multiple domain names. These certificates are ideal for securing multiple names across different domains and subdomains. If you have different websites this is the simplest option as you use only one certificate.
Example : www.wildlife.com, www.ceylonwildlife.lk, www.birds.wildlife.com

How to get your certificate ?

  • In your web browser,
    when you visit a website over HTTPS (eg : facebook ), your web browser will receive the ssl certificate for the web site. It will examine the contents of the certificate to see that is indeed valid for the domain name you are trying to visit. After that, it will verify the chain of trust. It will look at who has signed the certificate. If that certificate is a root-certificate, it will compare it against the ones shipped with the operating system. If it is a non-root certificate, it will follow the chain of trust up one more level.
  • Self-signed certificates,
    when using a self-signed certificate, there is no chain of trust. The certificate has signed itself. The web browser will then issue a warning, telling you that the website certificate cannot be verified. Therefore, you should not use self-signed certificates for professional use, as your visitors will not trust your web site to be safe. But since you can generate these certificates by yourself at zero cost, you can use these certificates inside your internal network if no other partners are connected to your system. But this certificate quickly become unmanageable if you have many clients and services that need to communicate with each other.
  • Internal CA signed certificates
    This is a certificate that you issue yourself using an internal CA that you can setup for your intranet. This type of certificate can be used if your services are mostly internal only. But you need to ensure that all clients have the internal CA root certificate imported into their trust-store.
  • External CA signed certificates
    These are certificates that has been issued by a reputable CA such as Verisign and Entrust.net. This type of certificate should be used if your services are external facing. In most cases, clients are already set up to trust these external CAs. Therefore, those clients do not have to modify their trust-store. You do not have any control over the certificate issuance process.

Let’s create our SSl certificate in my next medium post.

Thanks! :)

Senior Software Engineer | BSc (Hons) Engineering | CIMA | Autodidact | Knowledge-Seeker