Robby Pedrica's Tech Blog

Explaining SSL Certificates

by

Robby Pedrica
in ,

SSL Certificates might seem a bit of a minefield but they’re actually fairly straightforward. In this blogpost, I’ll explain the different types of certificates and where you would/should use for what purpose.

Understanding PKI Certificates

The certificates I’m discussing here are PKI (public key infrastructure) certificates where one will have a private certificate for the server and a public certificate for client-side use.

A standard PKI certificate process is:

  • generate a private key on the server
  • create a certificate request (CSR) based on the private key and domain details
  • submit the CSR to the certificate authority (CA)
  • perform the required validation
  • the CA generates and provides the certificate

For more information on PKI, please see the following article at Wikipedia.

For more information on how the SSL/TLS connection process works, please see the following video:

1. Certificate types

There are different types of certificates for different purposes – the following is a general guide to the types of certificates that are available from various commercial vendors.

  • web server certificate – probably the most common certificate in use and used for authenticating and encrypting client-to-website communications
  • client certificate – the opposite of the above, provides for a client-side certificate which is used to identify/authenticate the client to the server
  • code signing certificate – used for signing applications so that users can verify the application identity and confirm its validity/authenticity
  • email or S/MIME certificate – used for authenticating and/or encrypting email
  • unified communications (UC) certificate – also known as a Subject Alternative Name (SAN) certificate, is a type of SSL/TLS certificate that secures multiple subdomains with a single certificate

Certificates also come in the following domain formats:

  • single domain – specifies a certificate for a single subdomain or hostname (eg. x.y.com)
  • multi-domain (multi-SAN) – allows for multiple specified subdomains in a single certificate (eg. x.y.com + z.y.com)
  • wildcard domain – allows for any subdomain in a certificate without requiring specification (eg. *.y.com)
1

2. Models of certificates/assurance levels

Most SSL certificate vendors have different “models” of certificates. Sectigo as an example have PositiveSSL, EssentialSSL and PremiumSSL certificates amongst others.

These different models essentially implement/provide different assurance levels and certificate features, and have an applicable cost to those features.

Assurance levels

low – a standard certificate with a low assurance, vendor will provide assurance to a certain loss value, requires domain validation

high – organisation validation, higher loss value coverage

very high – extended validation certificates with additional validation checks and loss value

3. Validation

The process of purchasing a certificate includes the CA vendor validating that you own/have access to the requested domain. This is a security check to prevent malicious use of generated certificates. Considering that a PKI certificate authenticates your web presence, it can be used for malicious purposes when in the wrong hands so it’s critical that the generation process is secure. Storage and management of certificates on the client side is equally important.

domain validation (DV)

With this option, you have 2 methods for doing validation:

email validation – an email is sent to predefined email addresses at the target domain along with a validation link and code

dns validation – the client is required to add a specific DNS record in the target domain which will be validated by the CA

This method typically results in the certificate being issued within 24 hours from the time the validation is actioned.

organisation validation (OV)

This method involves (in addition to that from domain validation) an active check, where the CA vendor will contact the client using publicly available information; in addition, company registration, domain ownership and other information may be requested from the client.

This method can take from a few days to a couple of weeks to complete.

extended validation (EV)

An EV certificate requires the same validations as per DV and OV certificates, and possibly more so is the strictest for validation, and provides the highest level of assurance.

4. Expiry

A critical capability of PKI certificates is the expiry function. Every SSL certificate generated has an expiry date or lifetime calculated from the date of provisioning. The current lifetime of a certificate is 398 days or ~ 13 months (previously 2 and 5 year certificates were available).

The reason for shorter lifetimes is to remove expired or potentially insecure certificates out of circulation within a reasonable period of time.

This expiry means that certificate users need to prepare for a renewal of their certificates every year, and in advance of the expiry of their certificates.

Due to the reduced validation requirements for DV certificates, it is suggested that renewal within 1 or 2 weeks of expiry is suitable. Due to the extended validation requirements for OV and EV certificates, it is recommended to start the renewal process at least 3 weeks before expiry.

Practical Implementations of SSL Certificates

There are 3 primary implementations of certificate management:

  • Apache/NGinx/Linux – these systems/servers all use OpenSSL to create and manage certificates
  • Windows – this platform makes use of IIS/Internet Information Services and the Windows certificate store to manage certificates
  • Java/JRE/Enterprise server/Tomcat – these platforms make use of the JKS or Java keystore to manage certificates

In addition, many CA vendors provide their own tools to assist with the creation and management of SSL certificates.

What certificate to use and when

For the majority of websites, a DV certificate is sufficient, and the most cost effective option.

But typically you following this process:

  • do I need a single subdomain, multi-subdomain or wildcard domain certificate
  • what level of assurance and validation do I need/want

Those 2 questions will suggest the type of certificate to use.

Conclusion

SSL certificates are critical to the functioning of a secure web solution, protecting data between client and server, offering privacy and authenticating the website to the client.

Making sure you have a well-oiled certificate management solution and process is important to keep this critical function running without issue.

Some related links:

SSL and SSL Certificates Explained For Beginners

https://www.cloudflare.com/en-gb/learning/ssl/types-of-ssl-certificates

https://www.sectigo.com/resource-library/different-types-of-ssl-certificates-explained

https://stackoverflow.com/questions/470523/how-does-ssl-really-work

  1. Sectigo ↩︎