Ever wondered what the term SSL certificate represents? Well, you’re about to found out. In fact, you’ll leave knowing enough to keep up a conversation about the term and its concrete use. We’ve done our best to make it detailed, but digestible enough for someone who is a first-time website owner and only started using WordPress a short time ago. That’s realistic – owners get pressured into forcing SSL on their website early, even when they have no idea what it means or how to do it. So, for the sake of making the Internet a better, safer place, let’s answer, “what is an SSL certificate?”
What is SSL?
First, you must understand the base term. SSL, or Secure Sockets Layer, is an Internet security protocol based on encryption between the communicating devices, developed in 1995. This ensures a high degree of privacy and prevents interception, since the data is gibberish without a decryption key, and nearly impossible to crack manually. Moreover, SSL performs authentication of both devices, called a “handshake”, which verifies their digital identity. SSL also signs the data transferred between the devices, to make sure it wasn’t tampered with. Finally, SSL is often mentioned as SSL/TLS. That’s because of TLS (Transport Layer Security), which was an updated version released in 1999. But although SSL depreciated, and TLS is its full-fledged replacement, the two terms are either used together or interchangeable for easy recognition.
SSL Certificate defined
SSL certificate, or more precisely, TLS certificate, is a digital certificate that identifies a communicating device and makes implementation of SSL/TLS possible. Every SSL certificate combines:
- A domain name, hostname, or server name
- The identity of the organization and its location
The certificate is stored on the application’s or website’s server and displayed on the Internet as an indication the website or application uses SSL/TLS. The unique public key, assigned to each website, makes encryption possible. The user’s device, when it accesses the website, views that public key. During the “handshake” between the two, the user gets assigned a private key via SSL, which decrypts the data encrypted with a public key. With that said, an SSL certificate is necessary for transitioning your website from HTTP (Hypertext Transfer Protocol) to HTTPS (Hypertext Transfer Protocol Secure).
Who issues SSL certificates?
Certificate authorities (CA) issue SSL certificates. One of the longest-running CA, since 1996, is GlobalSign by GMO. You can also generate a public key for your website on your own, which is known as a self-signed SSL certificate. While this provides encryption and data integrity verification, your website might still get marked as “not secure” on the Internet. That’s because CA didn’t authenticate the website, so there’s no confirmation of the organization’s identity and proof of ownership. In some cases, your website will even refuse to load.
What are SSL certificate types?
We’ll give you a concise definition since these terms can be expanded upon. Here are 3 types of SSL certificates:
- Singe-domain. The certificate only applies to one domain, e.g. your website name.
- Wildcard. The SSL certificate applies to one domain, but also includes all of its subdomains. For example, “smtp.wpthinker.com”.
- Multi-domain (MDC). MDC SSL certificate encompasses multiple unrelated domains registered to one organization’s identity.
SSL certificate validation level
A level of SSL certification validation signifies how thorough the background check on the organization’s identity is. With that said, SSL certificates have 3 validation levels:
- Domain validation. This is the most basic level and the cheapest. It signifies that the organization proved they control the domain.
- Organization validation. This level does the same but inspired more confidence in users. It shows that the CA contacted the organization to obtain the necessary proof of ownership.
- Extended validation. The extended level indicated that the CA ran a very rigorous background check on the organization.
Are SSL certificates free?
We mentioned “cheapest” above, so you can assume that SSL certificates aren’t free. That’s true – certificate authorities charge a fee based on the desired validation level. However, the majority of website hostings pay for the SSL certificate when you purchase their services, then offer it “for free” as part of the chosen package. Furthermore, there are non-profit CA, such as Let’s Encrypt, that offer temporary single-domain and wildcard SSL certificates for free. If you choose to do so, you have to reapply every 3 months and can only reach the domain validation level.
Do I need an SSL certificate?
Yes, you do. This will establish trust in your visitors and prevent scammers from pouncing on them. Enabling an SSL certificate helps you protect information such as:
- Login credentials
- Personal information – name, date of birth, address, phone numbers, location
- Financial information – credit card details, bank account numbers, etc.
- Confidential, legal, or proprietary information
- Medical records and other types of sensitive data
How to know if a website uses an SSL certificate?
Here are 3 surefire ways to know if the SSL certificate is active:
1. URL
Its URL begins with https:// instead of http://.
2. Padlock icon
Each browser has its own way of displaying this, but in Google Chrome and Safari, there will be a padlock icon to the left of the URL in the address bar. Clicking on it provides more details.
3. Developer tools
Paid SSL certificates can last up to 2 years, while free ones last 90-days before they must be reapplied for. This means that a website can display signs #1 and #2 and still use an expired certificate. To double-check in Chrome, visit the desired website. Then, click on the 3-dot menu in the top right corner and go to More tools > Developer tools. Alternatively, press Ctrl + Shift + I (Windows, Linux) or Command + Shift + I (macOS). Switch over to the Security tab to examine SSL certificate validity.