Houston, We have a Problem! SSL Certificate Demystified

Problem: How to provide a safe and secure environment for website? Why visitors should trust it?

The Solution: Secure Socket Layer (SSL) Certificate.

What is an SSL certificate?

SSL certificate is a digital certificate issued by a trusted third-party organization called Certificate Authority (CA) for website security. Before the certificate is issued, the CA researches the organization, cross checks references and upon being assured of the identity provides this certificate.

What information is contained in a SSL certificate?

1) Organization name for which it is issued

2) Issuer name

3) Issuer digital signature

4) Issuer public key

5) Domain name for which it is issued

6) Issue date and expire date

How SSL certificate secures a website?

SSL certificate is activated when HTTPS protocol is used. Unlike HTTP protocol which is unsafe, HTTPS establish a secure connection between the client and the web server.

Information exchanged between them are encrypted. This is achieved by Transport Layer Security (TLS), another encryption protocol used by HTTPS underneath.

SSL or TLS?

SSL certificates were used to be called SSLv3.0. After version 4 came, instead of calling it SSLv4.0, it was renamed to TLSv1.0. Current version is TLSv1.3.

Types of SSL Certificates

1) Domain Validated: Can be issued in a minutes by verifying domin ownership. Used for blogs, personal site but not e-commerce (e.g. some-site.com)

2) Organization Validated: Contains issued organization information. Before issuing it, CA performs a basic investigation.

3) Extended Validation: CA does thorough research before issuing it.

4) Single Domain: Issued for only one qualified domain. (e.g. python.com)

5) Multi Domain aka UCC: A single certificate issued for multiple qualified domain. (e.g. python.com, java.com, php.com)

6) Wildcard: Issued for subdomain. It can be multi domain supported that means one certificate for multiple subdomains. (e.g. mail.google.com)

Certificate Chain

SSL certificates has three levels of chains.

1) Root: Issued directly by the CA. It is self-signed.

2) Intermediate: A certificate sits between root and intermediate certificate. It is signed by the private key of root certificate.

3) Server (SSL/TLS): The certificate we install on the webserver for use.

How to acquire a SSL certificate?

Certificate issuing bodies like DigiCert or Namecheap. We can also create a self-signed SSL certificate using Let's Encrypt, issued by Internet Security Research Group. But self-signed certificates are not recommended for commercial use like on e-commerce sites.

How SSL Works Underneath?

1) Client send a TCP SYN to server

2) Server sends back TCP SYN-ACK

3) Client acknowledges SYN-ACK by sending another TCP ACK to server

4) A TCP connection is created between server and client

5) Client says hello

6) Server replies hello

7) Server sends SSL certificate to client with public key

8) Client generates an session key and after encrypting it is sent it to server

9) Server can decrypt the session key with its private key

10) For now on, encrypted data is exchanged between client and server

That's all folks!