An SSL/TLS Certificate is used to secure a connection to a domain name using HTTPS. Secure Socket Layer (SSL) and Transport Layer Security (TLS) encrypt data throughout the internet to make it secure. Even though internet software is readily able to use SSL/TLS, an SSL/TLS Certificate is first required before it can be enabled.
It is worth noting that all modern SSL Certificates use TLS protocols instead of SSL. However the term ‘SSL Certificate’ remains the industry standard.
The use of an SSL Certificate has become standard practice to allow the protection of data that you transmit such as your usernames/passwords, payment details or sensitive information such as medical history.
Google Chrome’s push towards a more safe and secure online experience for all users has resulted in the expectation to see on a website the locked padlock symbol and ‘https://’ in the address bar.
The Hypertext Transfer Protocol (HTTP) for the World Wide Web uses SSL for secure communications. When the SSL Certificate for your FQDN is installed onto your server, the application protocol will change from HTTP to HTTPS (“S” meaning “Secure”). A locked padlock symbol will also appear in the address bar if the webpage correctly uses SSL. Without SSL, any data sent between the server and browser would be sent an unencrypted plain text and so vulnerable to being intercepted by an unauthorised third party.
Misleading though the name may be, an SSL Certificate is not in fact a hard copy notarized certificate that you can hold in your hands. In literal terms, it is a just series of alpha-numeric values.
An SSL Certificate is typically issued to a specific Fully Qualified Domain Name (FQDN) by a trusted Certificate Authority (CA). Once issued, the SSL Certificate must be installed onto a web server hosting the specific FQDN to allow secure sessions with browsers.
One of the most important parts of an SSL Certificate is the intermediate certificate, which is used to prove that your SSL Certificate was issued by a trusted CA. Using an SSL Certificate from a CA allows you to gain your customers’ trust and protect your site against phishing. The intermediate certificate is the difference between a self-signed certificate and marks your SSL Certificate as one that should be trusted by all browsers.
An SSL connection is always initiated by the browser. At the beginning of an SSL session, an SSL handshake is performed. This handshake is where the SSL Certificate comes in to play, where the browser and server agree upon what encryption they can use and their shared key before starting to communicate.
1. The client makes a request for secure connection to a web page on a domain name. The client provides the server with a list of the SSL/TLS versions it has enabled as well as the cipher suites it has available.
2. The server selects the strongest SSL/TLS version and cipher suite/s available and sends to the client the x.509 SSL Certificate (server.cer – public and intermediate certificates/keys)for the domain name requested.
3. The client checks that the domain name on the SSL Certificate matches the domain name that the client requested. The client then checks it’s trust store to confirm if the intermediate certificate/key was issued by a trusted Certificate Authority (CA). It also checks the Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP) to confirm if the SSL Certificate has not been revoked.
4. The client extracts the public key from the SSL Certificate.The client creates a random symmetric key. The client then encrypts it using the public key from the SSL Certificate and sends it to the server.
5. The server decrypts the random symmetric key from the client using the server’s own private key.
6. Both the client and the server together create a session key that will be used to encrypt all future communications that is sent to the other.
7. Secure connection has now been established. Server securely sends the webpage on the requested domain name.
When the handshake is completed, both the browser and the server encrypt messages that are sent using their shared session key. This means that even if an unauthorised party was able to intercept any messages, they would not be able to decrypt them. This use of keys in the handshake and the secured session is more commonly referred to as public key cryptography.
It is expected that all websites will eventually need to use an SSL Certificate as we continue to move towards a more secure online experience.