What is a Security Certificate?
SSL (Security) Certificates are small data files digitally binding a cryptographic key to an organisations details. When installed on a web server, it activates the padlock and the https protocol (over port 443) and allows secure connections from a web server to a browser. Typically, SSL is used to secure credit card transactions, data transfer and logins and more recently becoming the norm when securing browsing of social media sites.SSL Certificates bind together:
- A domain name, server name or host name
- An organisational identity (ie company name) and location
An organisation needs to install the SSL Certificate onto its web server to initiate secure sessions with browsers. Depending on the type of SSL Certificate applied for, the organisation will go through differing levels of vetting. Once installed, it is possible to connect to the website over https://www.domain.com, as this tells the server to establish a secure connection with the browser. Once a secure connection is established, all web traffic between the web server and the web browser will be secure. Browsers tell visitors a website is SSL secure via several visible trust indicators.
What is SSL?
The Secure Socket Layer (SSL) and Transport Layer Security (TLS) is the most widely deployed security protocol used today. It is essentially a protocol providing a secure channel between two machines operating over the Internet or internal network. In todays Internet focused world, the SSL protocol is typically used when a web browser needs to securely connect to a web server over the inherently insecure Internet.
Technically, SSL is a transparent protocol requiring little interaction from the end user when establishing a secure session. In the case of a browser for instance, users are alerted to the presence of SSL when the browser displays a padlock, or, in the case of Extended Validation SSL when the address bar displays both a padlock and a green bar. This is the key to the success of SSL – it is an incredibly simple experience for end users.
What are the Types of SSL Certificates?
Over the last few years the number of organisations using SSL Certificates has increased dramatically. The applications for which SSL is being used have also expanded. Some organisations for example need SSL simply for confidentiality (eg encryption). Some wish to use SSL to enhance trust in their security and identity (eg they want to show customers they have been vetted and are a legitimate organisation). As the applications for SSL have started to become wider, three types of SSL Certificates have emerged:
- Verifying the legal, physical and operational existence of the entity;
- Verifying the identity of the entity matches official records;
- Verifying the entity has exclusive right to use the domain specified in the EV SSL Certificate; and
- Verifying the entity has properly authorised the issuance of the EV SSL Certificate.
EV SSL Certificates are available for both incorporated and unincorporated businesses, including government entities. A second set of guidelines, the EV Audit Guidelines, specify the criteria under which a CA needs to be successfully audited before issuing EV SSL Certificates. The audits are repeated yearly to ensure the integrity of the issuance process.