Website Security Certificates (SSL Certificates)

Understand the difference between Extended Validation, Organisation Validation and Domain Validation certificates, and the advantages of SSL for your business.

Contact SuttonNet to order the right SSL certificate for your needs.

What Does SSL Do for You?

Secure Data Transmission

SSL is the acronym for Secure Sockets Layer. It is the Internet standard security technology used to establish an encrypted (or safe) link between a web server (website) and your browser (i.e. Internet Explorer, Chrome, Firefox, etc...).

This secured link ensures that the data/information that is passed from your web browser to the web server remains private; meaning safe from hackers or anyone trying to spy/steal that information.

SSL is used by millions of websites to protect and secure any sensitive or private data that is sent through their website. One of the most common things SSL is used for is protecting a customer during an online transaction. It also protects passwords that anyone uses on your website (eg logging in to a members' area, or when updating webpage content via a content management system).

Setting Up an SSL Secure Connection

Why Get an SSL Certificate?

Establishing a secured SSL connection on a web server requires an SSL Certificate to be properly installed. When completing the process to activate SSL on the web server, there are questions to verify the identity of your domain name and your company. The Certificate acts as a check that this information is correct.

Trusted Certification Authorities (CAs) issue SSL Certificates to either legitimate companies or legally accountable individuals.

Public and Private Keys

Your web server will create 2 types of cryptographic keys - one is called a Private Key and the other is called the Public Key.

The Public Key isn't a secret. It's placed into something called a Certificate Signing Request, most commonly referred to as the CSR. The CSR is a file that contains all the data of your details. Once this CSR is generated, you can begin the SSL application process.

The Certification Authority (CA) will go through the validation process, to verify your submitted details. Once these are verified, the CA will issue an SSL Certificate with your details and allow you to use SSL.

Your web server will automatically match the CA-issued SSL Certificate to your Private Key. This means you are now ready to establish an encrypted and secure link between your website and your customer's web browser.

How will Customers Know My Site is Secure?

SSL protocol is complex, but the complexities always remain invisible to your customers. The browser they are using simply provides them with an indicator, letting them know that their session is currently protected by SSL encryption.

Sometimes the indicator is a lock icon in the lower right-hand corner, or the addition of an 's' in https/: rather than just http/: before your domain name in the address bar.

On high-end SSL Certificates, a key indicator is the green bar in the browser.

Clicking on the indicators will display the details of your business's SSL Certificate.

Generally speaking, SSL Certificates include and display (at least one or all of) your domain name, your company name, your address, your city, your state and your country.

An SSL Certificate also always has an expiration date of that particular certificate, and of course the details of the Certification Authority (CA) responsible for issuing the certificate.

How Web Browsers Use SSL Certificates

A browser connects to a secured website and retrieves the site's SSL Certificate. Then the browser follows these steps:

  1. It makes sure that the Security Certificate has not expired
  2. It checks to see if it was issued by a known Certification Authority that the browser trusts
  3. It checks that the certificate is being used by the website that is was actually issued to.

If any one of these parameters does not check out properly, the browser will display a warning to the user, to let them know that this website is not secure by SSL. It says to leave or proceed with extreme caution. That is the last thing you would want to say to your potential customer!

That is why maintaining an up to date SSL Certificate is of high importance to any company wanting to do successful  business on the web.

Are All SSL Certificates the Same?

The number of businesses that use SSL has increased tremendously over recent years. The reasons for which SSL is used have also multiplied, for example:

  • Some businesses need SSL simply to provide confidentiality (i.e. encryption)
  • Some businesses like to use SSL to add more trust or confidence in security and identity (they want site visitors to know that they are a legitimate company and can prove it).

In response, three different types of SSL Certificates have been established:

  1. Extended Validation (EV) SSL Certificates
  2. Organisation Validation (OV) SSL Certificates
  3. Domain Validation (DV) SSL Certificates.

Extended Validation (EV) SSL Certificates

EV Certificates are issued only when a recognised Certification Authority (CA):

  1. checks to make sure that the applicant actually has the right to the specific domain name, plus
  2. conducts a very THOROUGH vetting (investigation) of the organisation.

The issuance process of EV Certificates is standardised and is strictly outlined in the EV Guidelines, created at the CA/Browser Forum in 2007. Before issuing an EV certificate, a CA must:

  • verify the legal, physical & operational existence of the entity
  • verify that the identity of the entity matches official records
  • verify that the entity has the exclusive right to use the domain specified in the EV Certificate, and
  • verify that the entity has properly authorised the issuance of the EV Certificate.

EV Certificates are used for all types of businesses, including government entities and both incorporated & unincorporated businesses. An EV Certificate may take about 10 days to issue.

Auditing the EV Auditor

EV Audit Guidelines are used to help ensure the credibility of each Certification Authority.

These guidelines establish criteria against which a CA needs to be audited, before it is allowed to issue an EV Certificate. Audits using the EV Audit Guidelines are done every year, to ensure the integrity of the certificate issuance process.

Organisation Validation (OV) SSL Certificates

OV Certificates are issued only when a Certification Authority (CA):

  1. checks to make sure that the applicant actually has the right to the specific domain name, plus
  2. does some vetting (investigation) of the applicant organisation.

This additional vetted company information is displayed to customers when the Secure Site Seal is clicked on (in the browser address bar). This gives enhanced visibility to who is behind the website, which in turn enhances trust in the site.

An OV Certificate takes about 2 days to issue.

Domain Validation (DV) SSL Certificates

DV Certificates are issued when the Certification Authority (CA) checks to make sure that the applicant actually has the right to the specific domain name.

No company identity information is vetted. No information is displayed within the Secure Site Seal in the browser address bar, other than encryption information.

DV certificates can be issued immediately.