This article is for anyone who seeks a better understanding of SSL certificates, and how they provide security for both Public Internet and Enterprise Intranet connections.
Digital certificates are the core of the SSL protocol; they initiate the secure connections between servers (e.g., websites, intranets, or VPN) and clients(e.g., web browsers, applications, or email clients).
SSL certificates offer adequate protection against phishing and eavesdropping of transmissions and automatic authentication of a server, such as a website domain. If a website asks for users' sensitive information, it needs to have an SSL certificate to encrypt that information during transmission. If there is no SSL certificate, then that connection should not be trusted with any private information.
An SSL certificate contains information about the owner of the certificate, such as:
- email address
- owner's name
- certificate usage
- duration of validity
- resource location
- Distinguished Name (DN)
- Common Name (CN)
- signature of the certifying authority
It also provides the client with the Public-Key for encrypting information while establishing a secure connection with the server. The certificate never contains the Private-Key, as only the certificate owner should know this information.
How to get an SSL Certificate?
The most critical component of an SSL certificate is the digital signature of a publicly trusted third party — the certificate which verifies the identity of organizations for the signature. The three most prominent certificate Authorities — Symantec, GoDaddy, and DigiCert— have issued over 75% of all SSL certificates to date, but hundreds of publicly trusted CA operate worldwide.
SSL certificates are signed and issued for a fee (usually), paid in the form of a periodical subscription to the trusted certification authority. There are many SSL certificate vendors from which to choose. Your choice depends on your security needs, budget, and the website you are running.
How much is an SSL Certificate?
There is little or no cost to secure a single domain name with a basic CA-signed SSL certificate. However, for full business and domain protection, the costs of SSL certification ranges from $150 upwards to over $2000 per year.
SSL certificates typically come with a warranty. The warranty works like insurance and financially protects you go wrong on the certificate authority's end, such as an incorrect certificate issued or catastrophic failure of the SSL protocol. The amount of the warranty ranges from $0 to $1.75MM, depending on the SSL certificate you purchase.
How do SSL Certificates Work?
When you receive the SSL certificate, you install it on your server. You can install an Intermediate certificate that establishes the credibility of your SSL certificate by chaining it to your CA's root certificate.
Root certificates are self-signed and form the basis of an X.509-based Public-Key Infrastructure (PKI). The PKI supporting HTTPS for secure web browsing and electronic signature schemes depend on a set of root certificates. In other applications of X.509 certificates, a hierarchy of certificates certifies the validity of a certificate's issuance. This hierarchy is called a "Chain of Trust."
Chain of Trust
The Chain of Trust refers to your SSL certificate and its link to a trusted certificate authority. For an SSL certificate to be trusted, it must trace back to a trusted root CA. A Chain of Trust ensures privacy, trust, and security for all parties involved.
At the core of every PKI is the root CA; it serves as the trusted source of integrity for the entire system. The root certificate authority signs an SSL certificate, thus starting the Chain of Trust. If the root CA is publicly trusted, then any valid CA certificate chained to it is trusted by all major internet browsers and operating systems.
Intermediate CA — aka subordinate or issuing CA — are the subsequent certificates linking the end-certificate to the root certificate, where each certificate in the chain is signed by the preceding CA.
The need for Intermediate certificates
For publicly trusted CA, the CA/Browser forum's Baseline Requirements prohibit issuing end-entity certificates directly from the root CA, which must remain stored in an offline device, such as a Hardware Security Module (HSM).
When establishing a Chain of Trust, it's crucial to configure root and Intermediate certificates correctly carefully. If a root CA's Private-Key is compromised, it renders the root and all Intermediate certificates untrustworthy. For this reason, the primary function of an Intermediate CA is to issue end-entity server certificates; this creates the ability to manage SSL certificates without the direct action of the root CA.
If the Intermediate certificate is compromised, then the root CA only needs to revoke the Intermediate certificate — and any of its subordinate certificates — then create a new certificate to start the chain again. Therefore, the Intermediate CA provides an additional security level while the root CA is protected in offline storage, thereby preserving the integrity of the system.
How is a Trust Chain verified?
The client or browser inherently knows the Public-Keys of a handful of trusted CAs and uses these keys to verify the server's SSL certificate. The client repeats the verification process recursively with each certificate in the Trust Chain until tracing it back to the beginning, the root CA.
What does an SSL certificate do?
In unsecured HTTP connections, hackers can easily intercept messages between client and server and read them in plain text. Encrypted connections scramble the communication until the client can decrypt it with the other session key.
When installed on a web server, SSL certificates use a public/private key pair system to initiate the HTTPS protocol and enable secured connections for users and clients to connect.
For the Internet: What do SSL certificates do for websites?
When a signed SSL certificate secures a website, it proves that the organization has verified and authenticated its identity with the trusted third party; since the browser trusts the CA, the browser now trusts that organization's identity too.
The easiest way to check if the website has an SSL installed is to look at your browser; see if the website URL starts with "HTTPS:" as this shows if it has an SSL certificate installed on the server. If so, click the padlock icon in the address bar to view the certificate information.
Web browsers use HyperText Transfer Protocol (HTTP) to connect to web servers that listen on TCP port 80 by default. HTTP is a plain text protocol, which means it is relatively easy for a hacker to intercept and read the data in transit, and it is not adequate for any application that requires confidentiality.
SSL uses port number 443, encrypting data exchanged between the browser and the server and authenticating the user. Therefore, when the communications between the web browser and server need to be secure, the browser automatically switches to SSL — that is, as long as the server has an SSL certificate installed.
Establishing a connection with a server that has a certificate signed by a trusted CA takes place without additional difficulties for the user. When an internet user visits an SSL-secured website, they are more willing to submit their contact information or shop with their credit card. Furthermore, having an SSL certificate on your website increases your ranking position, making it easier for users and customers to find your site.
SSL certificate not only attests to the reliability of a website but with more advanced certificates, the entire company can be SSL certified too.
For Intranets: What do SSL certificates do for applications in an enterprise environment?
Although the original purpose of SSL was for the World Wide Web, enterprises use SSL certificates to secure a wide variety of internal and external connections. The most common use cases for Enterprise SSL certificates include:
- Network Access controls
- Virtual Private Networks (VPN)
- Single sign-on
- Internet of Things(IoT)
If properly configured, all these applications run atop of SSL protocol. We'll take a closer look at these examples in the following section:
Employees who connect wireless devices to the corporate network have a need for ease of access, while at the same time, the network must prevent unauthorized access to corporate resources. Employees may use SSL certificates to access and encrypt files from their devices, corporate servers, or even cloud servers for approved individuals.
Avoid the need to remember/reset long, difficult to remember passwords that change every 90 days by replacing it with a digital identity. Place a digital identity into the Windows or Mac desktop, server, or WiFi access points, so only authorized devices can connect to your corporate network.
Today's enterprise employees have access to a wide variety of Identity service or federation products. Enterprises often use a Web Single Sign-on product to provide access to all its resources in the corporate portal or cloud services.
Internet of Things
A digital identity can be installed in your IoT device and the user's device or application to ensure that only trusted IoT devices could connect to your network and that the IoT device takes instructions from or sends data to authorized applications and users possess a digital identity.
A Secure Sockets Layer Virtual Private Network (SSL VPN) is a virtual private network (VPN) created using the Secure Sockets Layer (SSL) IT departments can scale both the solution and its required infrastructure services. SSL VPN enables granular control over managed application access to enterprise web applications. Perhaps the most significant benefits of SSL VPN come from the gained efficiency and productivity of freeing up IT resources by enabling all digital certificates to be accessed remotely.
Code, document, and email signing
Many people don't realize that code, document, and email signing certificates are not SSL certificates. Even though they are all facilitated by PKI x.509 certificates, the key-usage function makes all the difference. Read "Difference Between Code Signing and SSL certificate" or "Difference Between Digital certificate and Digital Signature" to learn more on the subject.