SSL (Secure Sockets Layer) certificate is a type of digital certificate that binds a cryptographic key to the details of an organization. It's used to secure credit card transactions, data transfer, and logins, and more recently is becoming the norm when securing browsing of social media sites.



SSL certificates bind together:

A domain name, server name, or hostname.
An organizational identity (i.e., company name) and location.
When installed on a web server, it activates the padlock and the https protocol (over port 443) and allows secure connections from a web server to a browser. SSL is typically used to secure credit card transactions, data transfer and logins, and more recently is becoming the norm when securing browsing of social media sites.

Operationally, this is what happens when you visit a website that has an SSL certificate installed:

Your browser connects to a secured website (https://).
The website sends your browser its SSL certificate.
Your browser checks whether the certificate is valid:
If the certificate is out-of-date, improperly configured, or not in the list of trusted Certificate Authorities (CAs), your browser will show a warning and recommend not continuing to the web page.
If the certificate is valid and trusted, your browser generates a symmetric session key, encrypts it with the public key in the website's certificate, and sends it back to the server.
The server decrypts the message with its private key and extracts the symmetric session key.

The server and the browser now encrypt and decrypt all transmitted data with the session key. This allows a secure, encrypted connection.

Types of SSL Certificates
Domain Validation (DV SSL) Certificates: These types of certificates are checked against the domain registry. No company identity information is vetted and no information is displayed other than encryption information within the Secure Site Seal. DV SSLs are fully supported and share the same browser recognition with OV SSL, making this certificate an ideal choice for a standard-sized, non-ecommerce driven website.

Organization Validation (OV SSL) Certificates: These certificates, in addition to domain ownership, validate some aspects of the organization such as the name and location. This provides a higher level of security and lets customers know they can trust your server with their personal information.

Extended Validation (EV SSL) Certificates: These provide the highest level of security. EV SSL Certificate requirements involve a rigorous vetting process that verifies the legitimacy of the company and the individual applying for the SSL Certificate. Once installed, this certificate shows your company name and location in green in the URL bar, offering an easy and reliable way to verify the site's identity.


SSL Certificates essentially serve two main functions:

Encryption - It secures the connection between a web server and a user's web browser by encrypting the data that is sent and received. Encryption is the process of scrambling data into an undecipherable format that can only be returned to a readable format with the proper decryption key.

Authentication - It verifies the identity of the owner of the website and the issuer of the certificate.

Below are more detailed aspects of SSL Certificates:

Certificate Authorities (CAs)

SSL Certificates are issued by Certificate Authorities (CAs). The CA is responsible for validating all information that the certificate will contain, such as the organization's details and domain ownership. Notable CAs include DigiCert, Comodo, GoDaddy, Symantec, and Let's Encrypt.

Public and Private Keys

An SSL Certificate consists of a pair of keys – one private and one public. They create a pair because what one key encrypts, only the other can decrypt. The private key remains a secret and is kept on the web server. The public key, as the name implies, is made publicly available through the SSL certificate and can be used by anyone to encrypt the data. However, the encrypted data can only be decrypted with the website's private key.

Certificate Signing Request (CSR)

In order to get an SSL certificate from a CA, a CSR must first be sent. A CSR is a block of encoded text that is given to a CA when applying for an SSL certificate. It usually contains the public key, the identity of the applicant, and additional information.

Types of SSL Certificates

As mentioned earlier, certificates can be categorized based on validation level and the number of secured domains or subdomains.

Three types of SSL certificates based on validation level:

Domain Validation (DV SSL): A low-level validation where only domain ownership needs to be verified. It's issued fast and doesn't have any company information in the certificate details.

Organization Validation (OV SSL): Medium level validation. Apart from domain validation, additional vetting of the organization is conducted.

Extended Validation (EV SSL): High-level validation where, apart from domain validation, rigorous screening of the organization is conducted according to globally standardized identity verification processes. The green bar in the browser URL bar is an example of an EV SSL.

SSL Certificates based on the number of secured domains or subdomains:

Single Name SSL Certificates: Secures one fully qualified domain name or subdomain name.

Wildcard SSL Certificates: Secures one fully qualified domain name and an unlimited number of its subdomains.

Unified SSL Certificates / Multi-Domain SSL (MDC) Certificates: Can secure several domain names in one go.

SHA (Secure Hash Algorithm)

When SSL certificates are issued, they use a specific hash algorithm during the signing process. As of 2021, SHA-2 is the most common, but older certificates may use SHA-1.

SSL/TLS Protocol Version

SSL v1 was never publicly released. Version 2 was the first public release but it had major flaws. SSL v3 was a complete rewrite, and was widely adopted but it is now considered insecure due to the POODLE vulnerability.

TLS v1.0 was an upgrade from SSL v3.0, TLS v1.1 and TLS v1.2 introduced some improvements and fixes. TLS 1.3, vastly different from TLS 1.2, removed many older cryptographic functions, resulting in a faster, more secure system.

As of my knowledge cutoff in September 2021, the latest version in wide usage is TLS 1.3, and the use of earlier versions such as SSL v2, SSL v3, and even early TLS versions has been discouraged due to known vulnerabilities.

Mixed content warning

Even if your site has an SSL Certificate, you may receive a "mixed content" warning if your web pages are serving HTTP content on a HTTPS page. This dilutes the security of the HTTPS page. You need to ensure all content is being served over HTTPS.

Renewal

SSL certificates have a set validity period and need to be renewed to maintain the SSL-secured status of the website. The CA that issues the certificate will usually send a reminder to the certificate holder to renew the certificate before it expires.


The Process of Obtaining an SSL Certificate

Generate a Certificate Signing Request (CSR): A CSR is a block of encoded text containing the public key that will eventually be included in the certificate. The server's private key, which should remain securely on the server at all times, is used to generate this CSR. The CSR also contains the domain name (common name), organization name, location, etc.

Apply to a Certificate Authority with the CSR: The next step is to submit this CSR to a trusted CA. Depending on the type of certificate (DV, OV, or EV), you will need to provide different levels of information about your organization.

Verification and Issuance: The CA will verify the information in the CSR, as well as some external aspects. If everything checks out, the CA issues an SSL certificate containing your public key and other organizational information. The certification is digitally signed by the CA's private key.

Installation of the Certificate: Once the CA issues the certificate, you can install it on your server. The server can now establish encrypted connections using the SSL/TLS protocol.

SSL Certificate Lifecycle Management

Managing SSL Certificates efficiently is a fundamental part of lifecycle management. SSL certificate lifecycle management includes keeping track of issuing, renewing, rekeying and revoking certificates. Many entities use automated systems to streamline management tasks and avoid human error or oversight, including certificate expiry leading to website downtime or vulnerability to attacks.

Potential SSL Certificate Vulnerabilities

Weak cryptographic algorithms: Older SSL/TLS versions or certificates using weakened cryptographic algorithms can be a potential vulnerability.

Self-signed Certificates: While creating self-signed certificates is technically possible, they are not trusted by default by browsers. Users would see security warnings, and the site may be more susceptible to Man-In-The-Middle (MITM) attacks.

Missing Intermediate Certificates: Although a server certificate may be correctly installed, if the correct intermediate certificates are not present, this will cause a certificate validation error when the client cannot link the site's server certificate up to a trusted root certificate.

Expired Certificates: SSL certificates have a limited lifespan. By forgetting to renew your certificates, you expose your users to interruptions (their browsers will display a warning), and risk severe harm to your reputation.

Non-Unique Certificates: To ensure the uniqueness of SSL certificates, the serial number of each certificate must be unique amongst all certificates issued by the same CA.

Wildcard/ SAN Mismanagement: Wildcard and Subject Alternative Name (SAN) certificates help secure multiple subdomains or domains with a single certificate. But if mismanaged or implemented poorly, they can expose all linked domains or subdomains to risk if one is compromised.


Asymmetric Encryption and SSL/TLS

When a client (for example, a web browser) attempts to establish a secure connection with a server, they conduct what's known as an SSL/TLS handshake, which proceeds in the following stages:

Hello: The client sends a "client hello" message that lists cryptographic algorithms, or "cipher suites," that it supports. The message also contains a random byte string that is used in subsequent computations. The server replies with a "server hello" message of its own with a similar random byte string.

Server Certificate: The server sends its SSL certificate. The client then verifies the certificate based on its list of trusted CAs. If the verification is successful, it extracts the server's public key from the certificate for the key exchange process.

Key Exchange: The client creates another random byte string, the "premaster secret." It encrypts this with the server's public key and sends it back to the server. Both server and client use the premaster secret and the byte strings sent in the "Hello" messages to compute the symmetric session key, which is used for encryption and decryption during the ongoing communications.

Handshake Finish: The client sends a "Finished" message, encrypted with the session key. The server will respond with its own "Finished" message, also encrypted with the session key. If both messages are successfully decrypted, the SSL/TLS handshake is completed, and the secure connection is established.

Through this process, SSL/TLS uses the server's SSL certificate to enable the secure transmission of information through confidentiality (encryption), integrity, and identity authentication.

Validation Levels of SSL Certificates

There are three primary validation levels used by CAs to issue certificates:

Domain Validation (DV): The simplest and quickest level of validation, typically automated. The CA checks the right of the applicant to use a specific domain name. The CA needs to ensure that the person requesting a certificate for a domain controls that domain.

Organization Validation (OV): This involves a higher level of security than DV. The CA validates the right of the applicant to use a specific domain name PLUS it conducts some vetting (validation) of the organization.

Extended Validation (EV): The highest level of security. The process of obtaining an EV certificate is much more stringent. The certifying authority conducts a thorough investigation of the company requesting the certificate to verify that they are a legitimate and legal entity, and the business is required to have a physical presence and a verified business record.

The Role of Browsers and SSL

In order for the client (browser) to trust the SSL certificate that the server sends, the certificate must be issued by a Certificate Authority that is included in the browser's trust store, an in-built list of trusted CAs. Major browsers have their own trust stores, such as Microsoft's Trusted Root Certificate program for Internet Explorer and Edge, and Mozilla's program for Firefox. If a browser encounters an SSL certificate from a CA not in its trust store, it will issue a warning to the user that the connection might not be trusted.


Here are some detailed aspects of SSL certificates:

Components of an SSL Certificate:
An SSL certificate consists of:

Public Key: This is used for encryption of data. It encodes the information into an unreadable format, which can only be read using the matching private key.

Private Key: This is securely stored on the server and is used for decryption of data. It ensures that the encrypted information, encoded using the associated public key, can be turned back into its original format.

Subject: This contains the certificate owner's details like domain name, company name, address, city, state, and country.

Issuer: The certificate authority that issues the SSL certificate.

Serial Number: Used by the certificate authority to track the certificate.

Validity Period: The lifespan of the certificate, after which it must be renewed.

How SSL Certificates Work:
When a client (e.g., a web browser) tries to initiate a connection with a server that has an SSL certificate, it performs what's known as an SSL/TLS handshake, which involves several key steps:

The client requests a connection and presents a list of supported cipher algorithms and hashing functions.

The server responds with its certificate and encryption settings.

The client verifies the server's SSL certificate with the certificate authority that issued it. If the certificate is self-signed or signed by an unknown or untrusted certificate authority, the client may present a warning to the user.

The client and server then generate session keys for the secured connection.

The encrypted session is established and data is transferred securely.

SSL Certificate Types:
Multiple certificate types can serve different purposes:

Single-Domain SSL Certificates: These secure only one fully-qualified domain name or subdomain name.

Wildcard SSL Certificates: Along with a domain, these also secure all subdomains under the domain.

Multi-Domain SSL Certificates (SAN/UCC): These can secure multiple domain names.

Extended Validation (EV) SSL Certificates: These provide the highest level of authentication to organizations. The Certificate Authority (CA) checks the right of the applicant to use a specific domain name plus it conducts a vetting of the organization.

Importance of SSL Certificates:
SSL certificates provide multiple benefits:

Encryption: They protect sensitive information such as credit card numbers, usernames, passwords, emails, etc., during data transfer.

Authentication and Trust: They authenticate the identity of the organization running the website, which can give users confidence to proceed with transactions.

SEO advantages: Google ranks HTTPS-enabled websites higher than HTTP websites.

PCI DSS Compliance: If a website accepts credit card information, it must be PCI compliant, and having an SSL certificate is one of the key requirements.

This is just a high-level look at SSL certificates and how they work. There are many intricate details in each step of the SSL/TLS handshake and verification process.

Domain-validated (DV) certificates are the most basic level, providing encryption and verifying that the website is registered as claimed. Organization-validated (OV) certificates go further by confirming the organization's identity alongside domain ownership, offering moderate assurance to site visitors.
Extended validation (EV) certificates undergo the most rigorous authentication process, validating legal entity details. They provide the highest level of trust with the green address bar in browsers, assuring users of a website's authenticity. Each type serves a specific purpose, and understanding their differences helps in selecting the appropriate SSL certificate for your website's security needs.

When a user's browser attempts to connect to a website secured with SSL, it requests the server's identity. The server sends a copy of its SSL certificate, including the server's public key. The browser then checks if the certificate is trusted and valid. If everything checks out, the browser generates a symmetric session key and encrypts it with the server's public key.
The server decrypts this session key using its private key and sends an acknowledgment encrypted with the session key to the browser. From this point on, the server and the browser communicate using the session key, providing secure, encrypted data transfer. This process ensures that the data shared between the server and the browser remains confidential and protected from unauthorized access.