howtouselinux

Understanding SSL certificates

Table of Contents

Server certificates are known as SSL/TLS certificates. It verifies and validates the identity of the certificate holder or applicant before authenticating it. It also establishes an encrypted communication channel and switches the protocol to HTTPS once installed on the server.

What is SSL certificate

Server certificates are the most popular type of X.509 certificate. SSL/TLS certificates are issued to hostnames (machine names like ‘ABC-SERVER-02’ or domain names like google.com).

A server certificate is a file installed on a website’s origin server. It’s simply a data file containing the public key and the identity of the website owner, along with other information. Without a server certificate, a website’s traffic can’t be encrypted with TLS.

Technically, any website owner can create their own server certificate, and such certificates are called self-signed certificates. However, browsers do not consider self-signed certificates to be as trustworthy as SSL certificates issued by a certificate authority.

How does the SSL Certificate work?

  • A browser or server attempts to connect to a website (i.e. a web server) secured with SSL. The browser/server requests that the web server identify itself.
  • The web server sends the browser/server a copy of its SSL certificate.
  • The browser/server checks to see whether or not it trusts the SSL certificate. If so, it sends a message to the web server.
  • The web server sends back a digitally signed acknowledgement to start an SSL encrypted session.
  • Encrypted data is shared between the browser/server and the web server.

How to get a SSL Certificate

  • generate a key pair
  • use this key pair to generate a certificate signing request (CSR) that contains the public key and domain name of our website
  • upload the request to a certificate authority
  • download the certificate and install it on our web server along with the key pair

If you need a free SSL certificate for your website, Elementor Cloud Website is a great option. They offer fast speeds, good uptime, and excellent customer support. It is an end-to-end solution gives you everything you need in one place for your website.

Web Hosting on Google Cloud + SSL certificate + WordPress + Website Builder + Templates.

We recommend using Elementor Cloud Website. It is very easy to start. You can get your website online in minutes. The price is $99 for one year.

Plus, they offer a 30-day money-back guarantee, so you can try it out with no risk.

Why should we choose a paid SSL certificate?

Type of SSL Certificate
Free SSL certificates only come with a Domain Validation (DV) option. DV certificates are used only for providing a basic level of authentication. Usually, they are used for platforms such as small websites and blogs. Free SSL certificates don’t have the provision for Organization Validation (OV) and Extended Validation (EV) certificates. Whereas the paid SSL certificates do come with OV & EV options, which are absolutely necessary for protecting business websites.

Level of Validation
When it comes to verifying a website owner’s business details before issuing a free certificate, CA does not validate anything apart from the identity of the website owner. While in the case of paid SSL certificates, verification of the identity of the website owner is a must before issuing the certificate to the site owner and in the case of OV & EV certificates, in-depth verification of the business is carried out by the certificate authority (CA).

Validity Period
Free SSL certificates provided by popular CAs are issued for 30-90 days. As a result, the website proprietor must renew the certificate every 30-90 days. In the case of paid certificates, they can be issued for a period of 1-2 years.

Support
The certificate authorities (CAs) and resellers of paid certificates are committed to providing round the clock support to their customers. Those customers get to choose whichever type of support they want, be whether its chat, email or call. On the other hand, free CA’s don’t assist their customers with such remarkable support because they can’t afford to. If you need help with an issue regarding free SSL, you’re going to have sifted through a bunch of old forum posts to find it.

how to choose an SSL certificate

When choosing an SSL certificate, it is important to consider the type of encryption that is used. RSA is more widely used, but ECDSA is becoming increasingly popular due to its security features.

Another important factor to consider is the length of the certificate’s signature. The longer the signature, the more secure the connection will be. However, longer signatures can also lead to slower performance.

Finally, you should also consider the price of the SSL certificate. In most cases, you can find a good SSL certificate for a reasonable price.  comodosslstore is a great choice to get an SSL certificate.

Example of SSL Certificate

We can use openssl s_client command to check whether the certificate is valid, trusted, and complete.

openssl s_client -connect : This opens an SSL connection to the specified hostname and port and prints the server certificate.

openssl s_client -connect : -showcerts : Prints all certificates in the certificate chain presented by the SSL service. Useful when troubleshooting missing intermediate CA certificate issues.

If there is a connection problem reaching the domain, the OpenSSL s_client -connect command waits until a timeout occurs and prints an error, such as connect: Operation timed out.

$ openssl s_client -connect google.com:443
CONNECTED(00000005)
depth=3 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = *.google.com
verify return:1

Check who has issued the SSL certificate:

$ echo | openssl s_client -servername howtouselinux.com -connect howtouselinux.com:443 2>/dev/null | openssl x509 -noout -issuer
issuer= /C=US/O=Let’s Encrypt/CN=R3

Check whom the SSL certificate is issued to:

$ echo | openssl s_client -servername howtouselinux.com -connect howtouselinux.com:443 2>/dev/null | openssl x509 -noout -subject
subject= /CN=www.howtouselinux.com

Check for what dates the SSL certificate is valid:

$ echo | openssl s_client -servername howtouselinux.com -connect howtouselinux.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Aug 8 04:49:59 2021 GMT
notAfter=Nov 6 04:49:57 2021 GMT

Show the all above information about the SSL certificate

$ echo | openssl s_client -servername howtouselinux.com -connect howtouselinux.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates
echo | openssl s_client -servername howtouselinux.com -connect howtouselinux.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates
issuer= /C=US/O=Let’s Encrypt/CN=R3
subject= /CN=howtouselinux.com
notBefore=Aug 8 04:49:59 2021 GMT
notAfter=Nov 6 04:49:57 2021 GMT

David Cao
David Cao

Hey there! I am David, a Cloud & DevOps Enthusiast and 18 years of experience as a Linux engineer. I work with AWS, Git & GitHub, Linux, Python, Ansible, and Bash. I am a technical blogger and a Software Engineer, enjoy sharing my learning and contributing to open-source.