What is SSL?

When you imagine the average business transaction, what do you see? The checkout lane at your local grocery store? Or maybe the lemonade stand at the end of the street?

In all likelihood, you’re probably not thinking of a website. And yet, more transactions are happening digitally than ever before. As a matter of fact, global e-commerce sales are on pace to surpass $8 trillion by 2027 — a 42% increase compared to 2023.

Here’s the problem: Online transactions often involve sensitive information traveling over potentially insecure devices and networks. In turn, digital interactions must be kept private and secure. Fortunately, that’s exactly what digital certificates and the Secure Sockets Layer (SSL) are made to do.

Not familiar? No worries — we’re here to bring you up to speed. Read on to learn more about SSL security, the importance of encryption, and how to choose the right digital certificate for your organization.

What is Transport Layer Security (TLS)?

For all intents and purposes, Transport Layer Security is the modern successor to the original SSL security protocol. However, many people still use the name “SSL” when they really mean TLS. Nowadays, you may even see a combination of the acronyms: SSL/TLS encryption.

That said, they’re not necessarily interchangeable, as there is a notable difference.

In simple terms, TLS encryption is more secure than its predecessor. There have been several versions of SSL security over the years, each one with vulnerabilities that would later be revealed. This is why SSL hasn’t been updated since 1996 and is now considered “deprecated.”

So, TLS is the default security protocol in today’s market, even if it’s still commonly referred to as “SSL.” Transport Layer Security 1.3 — the latest iteration — fixes many of the earlier versions’ existing weaknesses, rendering it the safest and most secure connection available. In fact, the National Institute of Standards in Technology (NIST) requires all government TLS servers and clients to support TLS 1.2 and recommends agencies plan to adopt TLS 1.3 in 2024.

What are digital certificates?

A digital certificate is an electronic document that proves the authenticity of a device, web server, user, or other entity through cryptography and public key infrastructure (PKI). Digital certificates are valuable tools in helping organizations ensure that only trusted entities access their networks.

As we’ll explain, they’re also commonly used to confirm the authenticity of a website to a web browser, allowing SSL to establish an encrypted connection. This particular type of certificate is known as an “SSL certificate,” or a “TLS certificate” — but more on that later.

As a website owner, SSL and TLS certificates are necessary to protect your organization, customers, and employees from the increasingly daring threat vectors challenging modern cybersecurity. Websites and servers that lack encryption are susceptible to attack. That means a treasure trove of sensitive data could be at risk.

Indeed, website domain ownership isn’t to be taken lightly. There are several reasons to deploy an SSL or TLS certificate:

• Data security: SSL security ensures that sensitive information can’t be accessed by unauthorized users — only the intended recipients. This is especially important for safeguarding login credentials, financial data, personal information, and other high-value targets.
• Phishing resistance: Digital certificates also prevent certain types of cyber attacks, such as phishing. Hackers commonly attempt to fool unsuspecting victims into inputting their sensitive data into a falsified website, believing it to be real. However, a TLS certificate can authenticate the web server, alerting users whether the domain is legitimate or not.
• Identity security: SSL security encrypts usernames, passwords, and forms used to submit personal information, thereby creating safer experiences for your customers.
• Customer retention and conversion: Prospects who visit your website are more likely to complete a purchase if they know the checkout process is protected through a secure connection. SSL security can save you the embarrassment of a data breach, which is known to drive away at least 83% of consumers.
• Search engine rankings: Google actually punishes sites without SSL certificates by flagging them as unsecured, which can negatively impact search engine optimization (SEO) rankings and website visibility.
• Compliance: Escalating requirements are pressuring businesses to take secure communication seriously. For instance, Europe’s General Data Protection Regulation (GDPR) implements strict standards for encryption. Companies that violate GDPR rules are subject to fines of €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.

 It’s clear to see that SSL encryption is important — but how does SSL work? Let’s dive in and explain it step by step.

Generally speaking, the process is as follows:

1. A browser or server attempts to connect to a website (i.e., a web server) securely with SSL. The web client messages the server to initiate the process.
2. In response, the website sends back a copy of its SSL certificate known as a public key.
3. The browser/server checks to see whether or not it trusts the SSL certificate. If so, it creates and sends an encrypted private key back to the website.
4. The web server receives and decrypts the private key. Then, it creates an encrypted connection and delivers content back to the client.
5. Finally, the client decrypts the content and can safely begin the session.

This process is often called an “SSL handshake.” Why? Because it’s basically an agreement between the two sides, establishing trust between one another. On the surface, it may seem like a lengthy ordeal, but it actually happens in a matter of milliseconds. In fact, it has practically no impact on the end-user experience.

Notably, SSL can only be added by websites that have an SSL or TLS certificate. These certificates act as a badge that authenticates and verifies the website owner. One important aspect of the TLS certificate is the website’s public key — a mechanism that makes encryption possible.

Devices view the public key and use it to create secure encryption keys with the web server. Simultaneously, the web server has a private key that’s always kept secret, as this is what’s used to decrypt data encrypted by the public key.

That’s a lot of keys. So, to sum it all up, here are those definitions again:

• SSL handshake: A negotiation between two parties — normally a browser/server and web server — that establishes a secure connection.
• Public key: A cryptographic key used to encrypt messages intended for a particular recipient, decipherable only by using a second tool — i.e., the private key.
• Private key: Also known as a secret key, this is used to encrypt and decrypt data, thus beginning a secure session.

Digital certificates can be broken down by type and validation level. Let’s first examine the three main SSL and TLS certificate types:

1. Single-domain: As the name implies, a single-domain SSL certificate applies to only one website. It can’t be used to authenticate any other domain, including subdomains of the website it’s issued to.
2. Wildcard: Similarly, a wildcard certificate applies to just one domain, but it can also include its subdomains. So, you can use it to safeguard sensitive information and authenticate everything under the umbrella domain.
3. Multi-domain: By contrast, a multi-domain SSL can list multiple unrelated domains on one SSL certification.

Digital certificates also come with different validation levels, which are used by a certificate authority (CA) to prove domain ownership. They exist on a spectrum ranging from minimum validation all the way to rigorous background checks. Let’s take a closer look at each one in more detail:

Extended Validation (EV SSL Certificate)

Most online users prefer an EV SSL certificate because it comes with the most comprehensive verification checking, which includes domain verification as well as cross-checks that tie the entity to a specific physical location.

This type of verification leaves a detailed paper trail providing customers with recourse should fraud take place while transacting on that website.

Organization Validation (OV SSL Certificate)

Domains that obtain an OV certificate are put through a slightly less rigorous process. The CA contacts the person or business requesting the certificate, but doesn’t complete a full background check on the subject.

In addition to domain ownership, the company is validated and the certificate details can be viewed on most major web browsers, giving users the opportunity to determine if the site they’re on is legitimate.

Domain Validation (DV SSL Certificate)

A website secured with a DV certificate offers only a locked padlock in the address bar, but does not show organization details because they do not exist. These certificates validate domain ownership only, can be acquired anonymously, and do not tie a domain to a person, place or entity.

Digital certificates come in all shapes and sizes, offering various levels of protection and assurance. It’s important to select the right SSL/TLS certificate for your business needs, or you may risk increased exposure to potential attacks and compliance violations.

Firstly, consider the level of validation required of your organization. Does your industry have strict data protection and encryption standards? What type of assurance are your target customers looking for? What type of personal information do you collect? These questions should set you down the right path.

Next, you’ll have to select the certificate type required for your specific purposes. Ask yourself: What’s your key usage? Do you have a standard web server request or a cluster of exchange serves to cover? Will you need a multi-domain certificate?

Still not sure? Try our SSL certificate selection tool for more guidance.

Acquiring your certificate

Once you’ve narrowed down your choices, you’ll have to submit a Certificate Signing Request (CSR) to an authorized certificate authority, such as Entrust.

Additionally, permission from the domain owner is required for every domain included in a certificate. A CA cannot process certificate requests if the domain name isn’t registered to the requesting company, its parent organization, or one of its subsidiaries. You’ll have to provide a business phone number and a senior leader’s contact information. In total, you’ll need:

• Valid payment information
• Authorizing contact information
• Technical contact information
• Billing contact information
• A completed CSR
• A list of all domains

At Entrust, we provide flexible and convenient access to a wide range of SSL/TLS certificates, enabling you to make the best choice for your organization.

Entrust is a founding member of the Certificate Authority (CA) Security Council and the CA/Browser Forum. Our digital security experts actively contribute to the development of industry standards for TLS/SSL, document signing, code signing certificates, and certificate management.

More than just leadership, we offer a robust and trusted portfolio of digital certificates for a wide range of enterprise requirements. With Entrust’s award-winning certificates platform, you gain:

• Award-winning support
• Universal browser compatibility
• Unlimited reissues
• Unlimited server licensing
• 128- to 256-bit encryption
• All Entrust certificates conform to the widely accepted x.509 international public key infrastructure (PKI).