Monday, 30 April 2012

Learning about Secure Socket Layer (SSL) Certificates [Part 2 of a 4 part series]

If you've come to our GlobalSign website or been approached by any of us, you've probably seen the term SSL. We've started a four part series where we blog about SSL Security and what it means for you. Stay tuned each week as we break down SSL into bite-sized bits. 

This week, we'll introduce SSL Certificates and a little bit of technical background. 

What is an SSL Certificate?

SSL is a protocol, and in order to use the SSL protocol organisations need an SSL Certificate.  An SSL Certificate is a small data file that digitally binds a cryptographic key to your organization’s details, typically:

  • Your domain name, server name or hostname
  • Your company name and location
  • In certain cases your organisational contact details
An organisation needs to install the SSL Certificate onto their web server to initiate SSL sessions with browsers.  Once installed, it is possible to connect to the website over https://www.domain.com  as this tells the server to establish a secure connection with the browser.  Once a secure connection is established all web traffic between the web server and the web browser will be secure.

To view an SSL Certificate click on the padlock and select View Certificate.  All browsers show the Certificate slightly differently but the Certificate always contains the same information.
SSL Certificate example

To view the actual contents of the Certificate click the Details tab:

SSL Certificate Details Example

Click the Certification Path to see which Trusted Root Certificate has been used to issue the SSL Certificate:


SSL Certificate Root CA hierarchy

Why is the Root Certificate important?
SSL Certificates need to be issued from a trusted CA’s root Certificate.  The root Certificate must be present on the end-user’s machine in order for the SSL Certificate to be trusted.  If it is not trusted the browser will present untrusted error messages to the end user.

For e-commerce websites, such error messages may result in consumers doubting the credibility of the website. In fact, websites using untrusted SSL Certificates may risk losing confidence and business from the majority of consumers.

Companies like GlobalSign are known as trusted Certification Authorities. This is because browser and operating system vendors such as Microsoft, Mozilla, Opera, Blackberry, Java etc trust that GlobalSign is a legitimate Certification Authority and that GlobalSign can be relied on to issue trustworthy SSL Certificates.  The more applications, devices and browsers the Certification Authority embeds its root into, the better “recognition” the SSL Certificate can provide.

GlobalSign has, for over 15 years, been operating the GlobalSign Ready program for root Certificate embedding.  This program ensures its inhouse engineers from the US, UK, continental Europe and Asia are in constant communication with the application, device and browsers vendors to ensure the GlobalSign root Certificate is present everywhere that may be used for SSL sessions.

Read more about GlobalSign Root Certificate compatibility and how it benefits your website security
Root Certificate Store

The GlobalSign Root Certificate is marked for a number of intended purposes, this makes it a very strong, flexible all round Root Certificate able to perform all Public Key Infrastructure (PKI) related activities:
  • Ensures the identity of a remote computer
  • Proves your identity to a remote computer
  • Ensures software came from software publisher
  • Protects software from alteration after publication
  • Protects e-mail messages
  • Allows data to be signed with the current time
  • Allows data on disk to be encrypted
  • Allows secure communication on the Internet
  • All issuance policies
  • OCSP Signing
Next week, we'll focus on where SSL can be installed and used.