Skip to Content

Understanding SSL certificates

Server certificates are known as SSL/TLS certificates. It verifies and validates the identity of the certificate holder or applicant before authenticating it. It also establishes an encrypted communication channel and switches the protocol to HTTPS once installed on the server.

What is SSL certificate

Server certificates are the most popular type of X.509 certificate. SSL/TLS certificates are issued to hostnames (machine names like ‘ABC-SERVER-02’ or domain names like google.com).

A server certificate is a file installed on a website’s origin server. It’s simply a data file containing the public key and the identity of the website owner, along with other information. Without a server certificate, a website’s traffic can’t be encrypted with TLS.

Technically, any website owner can create their own server certificate, and such certificates are called self-signed certificates. However, browsers do not consider self-signed certificates to be as trustworthy as SSL certificates issued by a certificate authority.

How does the SSL Certificate work?

  • A browser or server attempts to connect to a website (i.e. a web server) secured with SSL. The browser/server requests that the web server identify itself.
  • The web server sends the browser/server a copy of its SSL certificate.
  • The browser/server checks to see whether or not it trusts the SSL certificate. If so, it sends a message to the web server.
  • The web server sends back a digitally signed acknowledgement to start an SSL encrypted session.
  • Encrypted data is shared between the browser/server and the web server.

 

How to get a SSL Certificate

  • generate a key pair
  • use this key pair to generate a certificate signing request (CSR) that contains the public key and domain name of our website
  • upload the request to a certificate authority
  • download the certificate and install it on our web server along with the key pair

 

Why should we choose a paid SSL certificate?

Type of SSL Certificate
Free SSL certificates only come with a Domain Validation (DV) option. DV certificates are used only for providing a basic level of authentication. Usually, they are used for platforms such as small websites and blogs. Free SSL certificates don’t have the provision for Organization Validation (OV) and Extended Validation (EV) certificates. Whereas the paid SSL certificates do come with OV & EV options, which are absolutely necessary for protecting business websites.

Level of Validation
When it comes to verifying a website owner’s business details before issuing a free certificate, CA does not validate anything apart from the identity of the website owner. While in the case of paid SSL certificates, verification of the identity of the website owner is a must before issuing the certificate to the site owner and in the case of OV & EV certificates, in-depth verification of the business is carried out by the certificate authority (CA).

Validity Period
Free SSL certificates provided by popular CAs are issued for 30-90 days. As a result, the website proprietor must renew the certificate every 30-90 days. In the case of paid certificates, they can be issued for a period of 1-2 years.

Support
The certificate authorities (CAs) and resellers of paid certificates are committed to providing round the clock support to their customers. Those customers get to choose whichever type of support they want, be whether its chat, email or call. On the other hand, free CA’s don’t assist their customers with such remarkable support because they can’t afford to. If you need help with an issue regarding free SSL, you’re going to have sifted through a bunch of old forum posts to find it.

how to choose an SSL certificate

When choosing an SSL certificate, it is important to consider the type of encryption that is used. RSA is more widely used, but ECDSA is becoming increasingly popular due to its security features.

Another important factor to consider is the length of the certificate’s signature. The longer the signature, the more secure the connection will be. However, longer signatures can also lead to slower performance.

Finally, you should also consider the price of the SSL certificate. In most cases, you can find a good SSL certificate for a reasonable price. 

Example of SSL Certificate

We can use openssl s_client command to check whether the certificate is valid, trusted, and complete.

openssl s_client -connect : This opens an SSL connection to the specified hostname and port and prints the server certificate.

openssl s_client -connect : -showcerts : Prints all certificates in the certificate chain presented by the SSL service. Useful when troubleshooting missing intermediate CA certificate issues.

If there is a connection problem reaching the domain, the OpenSSL s_client -connect command waits until a timeout occurs and prints an error, such as connect: Operation timed out.

$ openssl s_client -connect google.com:443
CONNECTED(00000005)
depth=3 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = *.google.com
verify return:1

Check who has issued the SSL certificate:

$ echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509 -noout -issuer
issuer= /C=US/O=Let's Encrypt/CN=R3

Check whom the SSL certificate is issued to:

$ echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509 -noout -subject
subject= /CN=www.howtouselinux.com

Check for what dates the SSL certificate is valid:

$ echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Aug 8 04:49:59 2021 GMT
notAfter=Nov 6 04:49:57 2021 GMT

Show the all above information about the SSL certificate

$ echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates
echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates
issuer= /C=US/O=Let's Encrypt/CN=R3
subject= /CN=www.howtouselinux.com
notBefore=Aug 8 04:49:59 2021 GMT
notAfter=Nov 6 04:49:57 2021 GMT

Edukacyjne Karty Prac

Friday 27th of October 2023

Thank you for this informative post! It has shed light on a topic I was struggling to understand. Your writing style is engaging and the information is presented clearly. Great job!

Matiere47

Sunday 22nd of October 2023

Wow, this is a great website! The layout is user-friendly and visually appealing. I found your post really helpful, thank you for sharing such valuable information!"

Izolacja akustyczna samochodu

Tuesday 10th of October 2023

I just wanted to express my gratitude for this post. It has been immensely helpful in solving a problem I was facing. Thank you for sharing your knowledge and expertise!

Agent Warszawa

Saturday 7th of October 2023

Thank you for this helpful post! Your tips and insights have made a positive impact on my understanding of the topic. Keep up the great work!

David Cao

Monday 9th of October 2023

Thank you!

Galeria Sztuki

Friday 15th of September 2023

I'm really impressed with your website and this post in particular. It's evident that you have a deep understanding of the subject and have presented it in an easily digestible manner. Great job!