If you would like further clarification on any points in this guide, please feel free to reach out.
What is SSL? SSL stands for Secure Sockets Layer. It is the industry standard technology for security on the internet and establishes an encrypted link between a browser and a web server. The link then guarantees that all the data sent between them remains integral and private.
In other words, it securely sends your data without anyone being able to access it or modify it during transit.
SSL is typically used to secure credit card transactions, logins, and data transfer. It is also used to provide secure browsing for social media sites and most other web pages.
What is an SSL Certificate? An SSL Certificate contains small data files which assigns a business with a digital cryptographic key. When the certificate has been installed on a web server, HTTPS and a padlock will appear. They allow secure connections between a browser and web server.
SSLs bind together the following:
A domain name, hostname, or server name
A company name (organisational identity) and a location
It also will contain the Certificate expiration date, and the Certificate Authority details with who is responsible for issuing the Certificate.
That a Certification Authority which the browser trusts has issued it
That the certificate covers the website that is being visited
If any of the above checks fail, then the browser will show the user a warning that the site does not have SSL and is not secure.
Any time you visit a site which is unprotected, the information you provide will be sent in an easy to read plain text format. Information is usually sent between multiple servers before it arrives at its destination. This means there are lots of chances for it to be potentially stolen or modified in transit.
Do I need an SSL Certificate? If your website asks your clients to add personal information like Credit Card details, then you need an SSL certificate. This will then initiate a secure connection with your clients' web browsers, which ensures that all web traffic is encrypted and can’t be read or modified during transit.
As well as keeping information secure, there is also another aspect: Sites that aren't forcing the use of an SSL certificate will display as 'Not Secure' in a user’s browser.
Sites with an SSL Certificate will display with a padlock instead.
Most search engines have begun to display warnings that any non-HTTPS site is insecure, and not to enter personal information.
An SSL certificate has two purposes:
To encrypt data which is being transmitted
To authenticate the website’s identity
Especially for business websites, it is important that clients know they are visiting a trustworthy website. If there is no SSL Certificate, it is likely that most users will not enter their personal information on the site, and will instead leave to a competitor's site which is secure.
Most SSLs will only use domain validation to issue a certificate. Some types of certificates have additional validation methods for added security.
Domain Validation Certificate Authority (CA) checks the right of the applicant to use a specific domain name. No company identity information is vetted and no information is displayed other than encryption information within the Secure Site Seal.
Domain validated certificates are fully supported and share the same browser recognition as the Phone validated certificates, but come with the advantage of being issued almost immediately and without the need to submit company paperwork. This makes RapidSSL certificates ideal for individuals needing a low cost SSL quickly and without the effort of submitting company documents.
Organisation Validated (OV): In the case of an OV certificate, the certificate authority performs a much more substantial validation process. This includes checking the applicant’s business credentials against a trusted third party and even making sure that the company’s physical address matches the application.
For individuals, the RapidSSL (DV) certificate is the most affordable and logical choice to provide simple encryption for things like logins. But for business, a domain validated certificate simply isn’t the appropriate choice. If you have small and mid-sized business customers, at the bare minimum, they should be using the QuickSSL Premium certificate (OV) to ensure that visitors to their website see that additional information about the organisation in the certificate.
The Certificate Authority will perform a phone call to the phone number listed in the 3rd party's records. They will ask a few simple questions confirming the details of the certificate. The questions are generally as follows:
Does the technical contact have authority to obtain the certificate?
If applicable, does the technical contact have authority to delegate SSL responsibilities?
Do you know of the company's ownership and right to use the domain?
Do you approve the SSL Certificate request?
Do you acknowledge signature of the Subscriber Agreement?
Phone validation is undertaken as part of issuing Organisation Validation and Extended Validation certificates. Extended Validation
Extended Validation (EV) is where the CA checks the right of the applicant to use a specific domain name as well as conducting a thorough vetting of the organisation. The issuance process of EV SSL Certificates is strictly defined in the EV Guidelines, as formally ratified by the CA/Browser forum in 2007, that specify all the steps required for a CA before issuing a certificate, and includes:
Verifying the legal, physical and operational existence of the entity.
Verifying that the identity of the entity matches official records.
Verifying that the entity has exclusive right to use the domain specified in the EV SSL Certificate.
Verifying that the entity has properly authorised the issuance of the EV SSL Certificate.
EV SSL Certificates are available for all types of businesses, including government entities and both incorporated and unincorporated businesses. A second set of guidelines, the EV Audit Guidelines, specify the criteria under which a CA needs to be successfully audited before issuing EV SSL Certificates. The audits are repeated yearly to ensure the integrity of the issuance process.
EV SSL Certificates are the latest, and possibly most significant, advancement in SSL technology since its initial inception follows the standardised Extended Validation guidelines. New high security browsers such as Microsoft Internet Explorer 7+, Opera 9.5+, Firefox 3+, Google Chrome, Apple Safari 3.2+ and iPhone Safari 3.0+ identify ExtendedSSL Certificates as EV Certificates and activate the browser interface security enhancements, such as the Green Bar. For customers who wish to assert the highest levels of authenticity, ExtendedSSL is the ideal solution.
Does an SSL need a Dedicated IP Address? Short Answer: No, not at all.
Long Answer: SSL was released in the 90's when every website had its own IP address. At the time an SSL certificate was tied to an IP address for this reason.
Around the year 2000 we started running out of available IP addresses and a technology called virtual hosts was invented to allow multiple websites to share the same IP address, but still be recognised as individual websites by the internet. Another technology called SNI (Server Name Indication) followed this: SNI allowed websites to have their own SSL certificate without the need for a dedicated IP address. While SNI was released in 2006, it only came into common use in 2011 when CentOS (the Operating System that runs most web servers) began to support the technology.