An SSL certificate, also known as a public key certificate, is a cryptographic file installed on your web server that helps establish secure, encrypted online communication. SSL certificates serve two major purposes:
When a visitor attempts to connect to your website over the internet, both communicating parties—client and server—validate one another's identity through a series of steps before establishing a connection and sharing information. This process is called an SSL handshake. It is also during this process that a session key is generated, which provides symmetric encryption of the particular session after both parties have successfully authenticated one another.
Listed below is the sequence of steps that take place in the background during an SSL handshake:
The client sends the server a request to establish a connection, including a list of its compatible cipher suites and SSL/TLS versions.
The server receives the request, checks the cipher suites and SSL versions, and chooses a mutually compatible cipher suite and SSL version from the list. The server also sends its certificate along with the public key.
The client receives the certificate, extracts the public key, and creates a new key called the "pre-master key" and sends it to the server.
The server decrypts the pre-master key using its private key.
Both the server and client now use the pre-master key and compute a shared secret called the session key (symmetrical encryption key).
The client sends a test message that’s encrypted with the session key to the server.
The server receives the message, decrypts it using the session key, and sends an acknowledgement that’s also encrypted using the session key back to the client, requesting to initiate the session.
The session begins and both the client and server use the session key to encrypt their communication during the rest of the session.
SSL certificates are usually signed and issued by trusted third-party entities called certificate authorities (CAs) before browsers will trust the legitimacy of your website. Once you've installed an SSL certificate on your web server, your website will leverage the HTTPS protocol to secure all communication with its visitors. Read on to find out how you can set up SSL on your website and the benefits an HTTPS-activated site can have on your brand image.
To begin, you should research what type of certificate will fit your web application. Here are some important criteria you'll have to consider:
Level of trust: Commercial CAs offer three types of certificates, each involving a different level of vetting of your organization:
Domain-validated (DV) certificates
This type of certificate secures and encrypts a particular domain name by validating the legitimacy of the domain owner.
Organization-validated (OV) certificates
This type of certificate is generated after trusted CAs vet the organization requesting the certificate, so it provides a greater level of brand credibility for end users than a domain-validated certificate does.
Extended-validation (EV) certificates
This type of certificate provides the highest level of security, and involves rigorous vetting of the organization requesting the certificate. The vetting is done as per the rules laid down by the CA/Browser Forum. Having an EV SSL on your website activates the address bar and displays your organization’s name in the browser's omnibox. EV certificates are generally used by major online retailers and banks as well as organizations that intend to build immediate trust with their end users.
Number of domains: Depending on the number of domains you want to secure with an SSL certificate, you can categorize certificates into the following three types:
Single domain certificates:
These certificates allow users to secure a fully qualified domain name over a single certificate. For instance, a single domain certificate for the domain name www.yourdomain.com will secure all the webpages on www.yourdomain.com/. This type of certificate is ideal for small and medium-sized businesses managing a limited number of webpages on their site.
Multi-domain certificates:
Multi-domain certificates, also referred to as SAN certificates, utilize Subject Alternative Names (SANs) to secure up to 100 distinct domain names, subdomains, or public IPs over a single certificate. Another notable advantage of these certificates is that they don't require dedicated IP addresses for the host names and can be installed on a single IP address.
Wildcard certificates:
These certificates can secure an unlimited number of subdomains of a top-level domain (TLD), and are a great option for organizations that manage multiple pages on the same domain. While this type of certificate is highly effective for cost-cutting and easy management, one big disadvantage is that revoking the certificate on one subdomain will revoke it on all other subdomains as well.
Apart from these two major criteria, you should also take issuance speed, pricing, customer support, and other factors into consideration when choosing an SSL certificate for your organization’s website.
Once you've chosen the right type of certificate for your web application, you have to raise a certificate request to a third-party CA and deploy the certificate on your corresponding web server. This is done by generating and sending a Certificate Signing Request (CSR) to the CA; once the CA validates your domain, it issues the certificate.
On the other hand, you can also set up an in-house CA within your network such as the Microsoft Certificate Authority, and request and deploy certificates to servers within your network. However, this method is best suited for internal web applications and not for public-facing websites, as commercial browsers don't trust self-signed certificates.
Generate a CSR:
Generating a CSR is the first step to requesting an SSL certificate from a third-party CA. Usually generated on the same server in which the certificate is installed, the CSR is a cryptographic file that contains details about your organization and domain name, as well as a public key. CSRs are usually signed with your private key.
Validate your domain:
After you have submitted the CSR to a third-party CA, the CA will start validating your domain. The validation process depends on the type of certificate you've requested and the issuing body. For instance, if you've requested a DV SSL, the validation process is pretty simple; the CA might verify your organization’s email or check the web registrar's information. On the other hand, the validation procedure for OV and EV SSLs is more rigorous and involves a background check of your organization's identity.
Installation and final steps:
Once the validation process is complete, the CA issues the certificate that you then install on your end-servers. The installation process is different for different server types. After successful installation, restart the server for the certificate to take effect.
You should also scan your SSL certificates post-deployment to ensure there aren't any configuration vulnerabilities and the trust provided by them is intact.
The whole process of setting up SSL—right from CSR generation to deployment on endpoint servers—can be done manually. However, as the number of certificates grow, it becomes daunting for IT administrators to streamline the process and keep it error-free. Security professionals highly recommend enterprises adopt a centralized approach for managing the certificate life cycle to prevent the risk of unexpected expiration and privilege misuse.
Centralize and automate certificate life cycle management now!
SSL, without a doubt, forms the sole foundation of website security. That said, there are also quite a few other benefits your organization can reap from setting up SSL on its websites.
Google announced HTTPS as a ranking signal back in 2014 and since then, sites with HTTPS protection have enjoyed a boost in search engine ranking over HTTP sites.
Since HTTPS sites are positioned high in search engine results, they’re likely to produce better conversion rates than sites secured with HTTP.
As an indication of security, search engines display the padlock icon ( 
) in their browser omnibox for HTTPS sites, which helps visitors know they’re on a trustworthy site.
Apart from marking HTTPS sites as having better security, search engines also throw security warnings for HTTP sites, which can greatly bring down a brand's credibility.
So, what are you waiting for? Make the switch to HTTPS if you haven't already and centralize the management of the SSL certificate life cycle right away.
Key Manager Plus is integrated with ManageEngine’s Password Manager Pro, to provide unified privileged identity management platform.
ManageEngine’s Key Manager Plus enables us to stay on top of SSL certificates for all of our websites. With Key Manager Plus, we’re able to monitor which certificates are nearing expiration and roll out new certificates in a timely manner.Ken Odibe Senior cloud infrastructure consultant, Sapphire systems.