The Secure Sockets Layer (SSL) allows you to communicate over the Internet with a secure and encrypted connection. SSL is probably most associated with web sites and email, but it can be used with almost any Internet service.
There are two components to a secure connection:
1) Encryption: This is the process of encoding message between the parties communicating so only they know the content.
2) Assurance: This ensures that the party you think you are communicating with is actually who you think they are.
Encryption is the process of encoding a message so it cannot be read if it is intercepted. The person receiving the message will need a way to decode the message. The 2 parties could share “key” that is used to both encrypt and decrypt messages. This is fine if you know and trust the party you are communicating with. But what if you don’t or can’t be sure. That is the situation we are dealing with in internet communication.
SSL uses a technology called “public key cryptography”. This is how it works, in a nutshell:
- Each party has two keys, a public key and a private key.
- Messages encrypted with a person’s public key can only be decrypted with the private key and vice versa.
- Each user makes public key available to anyone but no one else has access to his private key.
To use SSL you must create a “signed” SSL Certificate. The signature testifies that the party providing the certificate is the legitimate operator of the domain being connected to. A certificate can be “self-signed” by the creator, but what assurance is that? It would be like “co-signing” your own loan application!
Self-signed SSL certificates provide an encrypted connection, but should not be used for a public facing interface. Intranets and test labs are probably the only place where they would be recommended.
For any public domain, such as a web or email server you need to obtain an SSL Certificate signed by a “trusted third party” known as a Certificate Authority. It is the CA’s signature that provides assurance to a browser or other client that the server providing it is the one who it was issued to and the one you think it is.
Certificate Authorities charge an annual fee for the service and provide different levels of Assurance. The base level, and lowest cost, is to simply verify that the requestor is the owner of the domain. Some CA’s even automate this process so it can be accomplished in a matter of minutes.
A higher level of Assurance is sometimes called “Organizational Assurance” (OA) where the CA verifies through public records that the requestor is an organization that actually exists. The highest level of Assurance, and the most costly, is called Enhanced Verification (EV).
With EV, the CA conducts a much more thorough investigation following industry standards. It not only assures that that the requestor exists, but screens out any organizations that might be illegitimate and fraudulent.
Requesting an SSL Certificate from a CA
What do you need to do to obtain an SSL Certificate from a Certificate Authority?
1. Create a Certificate Signing Request (CSR). A CSR is a message sent from an applicant to a certificate authority in order to apply for a digital identity certificate.
- Your web server has software that you use to generate the CSR. If you use a web host, the web host will generate it for you. Contact your host for instructions.
- When done, a private key is generated.
2. Go to Certificate Authority such as Comodo. A CA is a “trusted 3rd Party”
- The CA validates that you, the requestor, has control of the domain in the request, example.com.
- The CA validates you, the requestor, is an existing organization verified through public government records.
3. After validation, the CA issues to you, the requestor, a “certificate”.
- The certificate contains a new public key encrypted with CA’s private key.
4. Install the certificate on your web and email server(s).
You are ready to go, and your site visitors will be secure!