SSLs - Frequently Asked Questions

What is SSL? How does SSL work? What type of SSL certificate do you need? How do you install or move an SSL certificate? What does this SSL certificate error mean? Confused? Our SSL FAQs (Frequently Asked Questions) can help. We explain things in the clearest way possible while showing you what all the SSL jargon means so you have complete control over your SSL certificate purchasing experience. If you have a question that isn't answered in our SSL FAQs below, please let us know.

Questions

Click the arrow to reveal or hide the answer

  • What is SSL?
    SSL is an acronym for Secure Sockets Layer, an encryption technology that was created by Netscape. SSL creates an encrypted connection between a web server and a web browser allowing for private information to be transmitted without the problems of eavesdropping, data tampering, or message forgery. The use of an SSL server certificate on a website is usually indicated by a padlock icon in a web browser such as Internet Explorer or Firefox. Millions of online businesses use SSL certificates to secure their websites and allow their customers to place trust in them. In order to use the SSL protocol, a web server requires the use of an SSL certificate. SSL certificates are provided by Certification Authorities (CA).
  • Why do I need SSL?
    If you are transmitting sensitive information on a web site, such as credit card numbers or personal information, you need to secure it with SSL encryption. It is possible for every piece of data to be seen by others unless it is secured by an SSL server certificate. Your customers won't trust your web site without it.
  • What is a certificate authority (CA)?
    A certificate authority is an entity which issues digital certificates to organizations or people after validating them. Certification authorities have to keep detailed records of what has been issued and the information used to issue it, and are audited regularly to make sure that they are following defined procedures. Every certification authority provides a Certification Practice Statement (CPS) that defines the procedures that will be used to verify applications. There are many commercial CAs that charge for their services (Symantec). Institutions and governments may have their own CAs, and there are also free CAs.
  • How do SSL Certificates compare between certificate authorities?
    Symantec certificates are better because they cost so much more, right? Not necessarily. You can get a certificate for $100 that does that exact same thing as a certificate sold for $800 from another certificate authority. It is the exact same SSL encryption. Why the difference? Trust is the biggest difference. Since Symantec has been around for longer than other certificate authorities, more people trust them so they can charge more. You are essentially paying for the brand. Our certificates cost less and do more.
  • What is browser compatibility?
    The certificate that you purchase to secure your web site must be digitally signed by another certificate that is already in the trusted store of your user's web browsers. That way, the web browser will automatically trust your certificate because it is issued by someone that it already trusts. If it isn't signed by a trusted root certificate, or if links in the certificate chain are missing, then the web browser will give a warning message that the web site may not be trusted. So browser compatibility means that the certificate you buy is signed by a root certificate that is already trusted by most web browsers that your customers may be using. Unless otherwise noted, the certificates from all major certificate providers listed on SSL Shopper are compatible with 99% of all browsers.
  • How many domain names can I secure?
    Most SSL server certificates will only secure a single domain name or sub-domain. For example, a certificate could secure www.yourdomain.com or mail.yourdomain.com but not both. The certificate will still work on a different domain name but the web browser will give an error anytime it sees that the address in the address bar doesn't match the domain name (called a common name) in the certificate. If you need to secure multiple sub-domains on a single domain name, you can buy a wildcard certificate. For a wildcard certificate, a common name of *.yourdomain.com would secure www.yourdomain.com, mail.yourdomain.com, secure.yourdomain.com, etc... There are also special certificates such as Unified Communications (UC) certificates for Microsoft Exchange Server 2007 that can secure several different domain names in one certificate.
  • What is a site seal?
    A site seal is a logo that you can display on your web site that verifies that you have been validated by a particular certificate provider and are using their SSL certificate to secure your site. It can be displayed on secure and non-secure pages and is most appropriate on pages where customers are about to enter their personal information such as a shopping cart page but they can be displayed on every page to help build trust. Every certificate authority's site seal is different and some look more professional so you should consider what the site seal looks like in order to maximize customer trust.
  • What is a high assurance certificate?
    There are many different types of certificates and many different SSL certificate features that you may need to understand in order to purchase the right SSL certificate. The most critical distinction to make is whether you need a high assurance certificate, a low assurance certificate, or an EV certificate. A high assurance certificate is the normal type of certificate that is issued. There are two things that must be verified before you can be issued a high assurance certificate: ownership of the domain name and valid business registration. Both of these items are listed on the certificate so visitors be be sure that you are who you say you are. Because it requires manual validation, high assurance certificates can take an hour to a few days to be issued.
  • What is a low assurance/domain-validated certificate?
    A low assurance/domain-validated certificate is a certificate that only includes your domain name in the certificate (not your business or organization name). Certificate authorities usually can automatically verify that you own the domain name by checking the WHOIS record. They can be issued instantly and are cheaper but, as the name implies, they provide less assurance to your customers.
  • What is an EV (Extended Validation) certificate?
    An EV SSL Certificate is a new type of certificate that is designed to prevent phishing attacks - when fake sites attempt to get personal information from a user. An EV SSL requires extended validation of your business and authorization to order the certificate and can take a few days to a few weeks to receive. It provides even greater assurance to customers than high assurance certificates by making the address bar turn green in most browsers.
  • What is a wildcard certificate?
    A wildcard certificate can secure an unlimited number of first level sub domains on a single domain name. For example, you could get a wildcard certificate with *.yourdomain.com as the common name. This certificate would secure www.yourdomain.com, mail.yourdomain.com, secure.yourdomain.com, anything.yourdomain.com, etc... In other words, it will work on any sub-domain that replaces the wildcard character (*).
  • What is an SGC Certificate?
    SGC SSL Certificates enable older browsers to connect to a site using 256-bit encryption even if the normal browser encryption rate is 40-bit. They usually cost significantly more and are only available from certain vendors. However, there are several strong arguments against using SGC SSL Certificates. Essentially, the percentage of people using web browsers that would benefit from an SGC certificates is less than 1% because all browsers released since the year 2000 have been capable of using strong crypto without needing SGC certificates. In addition, by using an SGC certificate on your site, you are encouraging your visitors to use old, insecure browsers which have many more security flaws than newer browsers.
  • What is a Chained Certificate, Intermediate Certificate, Root Certificate, etc…?
    A certificate authority issues certificates in the form of a tree structure. A root certificate is the top-most certificate of the tree. All certificates below the root certificate inherit the trustworthiness of the root certificate. Many software applications, such as web browsers, include certain root certificates that are automatically deemed trustworthy. Any certificate signed by a trusted root certificate will also be trusted. In turn, the signed certificate can sign another certificate and it will also be trusted as long as the browser has all of the certificates in the chain to link it up to a trusted root certificate. Any certificate in between your certificate and the root certificate is called a chained or intermediate certificate. These must be installed to the web server with the primary certificate for your web site so that user's browers can link your certificate to a trusted authority. Most certificate authorities use chained certificates for security purposes and most web servers and devices support them.
  • What is a warranty?
    The warranty that you get when you purchase an SSL certificate ($10,000, $250,000, etc...) can be misleading. It is not a warranty to the purchaser but rather to the end users who use a site secured by an SSL certificate. Basically, if you, the purchaser, turn out to be fraudulent and a user of your web site loses money because the certificate authority didn't properly validate you, then the certificate authority will compensate the end user. This practically never happens! It is therefore not very important how big the warranty is when you buy an SSL certificate. Certain certificate authorities have slightly different policies on warranties that you may wish to look into.
  • What is a Scalable SSL Certificate?
    All certificate authorities now issue scalable certificates. Certificates can be used at low encryption rates (40 bit encryption), normal encryption rates (128 bit encryption), or even higher encryption rates (usually up to 256 bit encryption) depending on what the users web browser and the web server support. The term "scalable SSL Certificate" is just marketing hype.
  • What is needed to buy a certificate?

    A unique IP address. Unless you have a special set-up on your web server (using host headers), you will need a separate IP address for each certificate that you want to use.

    A CSR. A certificate signing request or CSR is a piece of text that must be generated on your web server before ordering the SSL certificate. The certificate authority will use the information contained in the CSR (Organization name, domain name, public key, etc...) to create your certificate.

    Correct contact information in WHOIS record. When you purchase a certificate for a particular domain name, the certificate authority needs to ensure that you own the domain name that you are getting the certificate for and that you are authorized to order the certificate. This is primarily done by making sure that the WHOIS record (the ownership and contact information associated with each domain name) matches the company name and address that is submitted with the certificate order. You can check the WHOIS record for your domain name here.

    Business/Organization validation documents. If you are buying a high-assurance certificate, your business must also be validated. Certificate authorities often check government databases online to verify that your company is registered but they may still need you to send in a government registration document if they can't find your business. Each certificate authority has slightly different requirements for validation.

  • How long does it take to get a secure certificate?
    How quickly you get your certificate depends on what type of certificate you get and which certificate provider you get it from. If you get a domain-validated only certificate you will get it issued instantly or within a few minutes. If you get a normal, organization-validated certificate, you may get it issued within an hour to a few days after you submit all the documentation. If you get an extended validation certificate (EV), you may wait several days to a few weeks while the validation takes place.
  • What is a CSR (Certificate Signing Request)?
    A CSR or Certificate Signing request is a block of encrypted text that is generated on the server that the certificate will be used on. It contains information that will be included in your certificate such as your organization name, common name (domain name), locality, and country. It also contains the public key that will be included in your certificate. A private key is usually created at the same time that you create the CSR. A certificate authority will use a CSR to create your SSL certificate, but it does not need your private key. You need to keep your private key secret. What is a CSR and private key good for if someone else can potentially compromise your communications? The certificate created with a particular CSR will only work with the private key that was generated with it. So if you lose the private key, the certificate will no longer work.
  • What is contained in a CSR?

  • What is a CSR's format?

    Most CSRs are created in the Base-64 encoded PEM format. This format includes the "-----BEGIN CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----" lines at the begining and end of the CSR. A PEM format CSR can be opened in a text editor and looks like the following example:

    -----BEGIN CERTIFICATE REQUEST----- MIIByjCCATMCAQAwgYkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMR8w HQYDVQQLExZJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRcwFQYDVQQDEw53d3cuZ29v Z2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApZtYJCHJ4VpVXHfV IlstQTlO4qC03hjX+ZkPyvdYd1Q4+qbAeTwXmCUKYHThVRd5aXSqlPzyIBwieMZr WFlRQddZ1IzXAlVRDWwAo60KecqeAXnnUK+5fXoTI/UgWshre8tJ+x/TMHaQKR/J cIWPhqaQhsJuzZbvAdGA80BLxdMCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAIhl 4PvFq+e7ipARgI5ZM+GZx6mpCz44DTo0JkwfRDf+BtrsaC0q68eTf2XhYOsq4fkH Q0uA0aVog3f5iJxCa3Hp5gxbJQ6zV6kJ0TEsuaaOhEko9sdpCoPOnRBm2i/XRD2D 6iNh8f8z0ShGsFqjDgFHyF3o+lUyj+UC6H1QW7bn -----END CERTIFICATE REQUEST-----

  • How do I generate a CSR and private key?
    You need to generate a CSR and private key on the server that the certificate will be used on. If you are familiar with OpenSSL you can use the following command to generate a CSR and private key: openssl req -new -keyout server.key -out server.csr
  • How do I decode a CSR?

    You can easily decode your CSR to see what is in it by using our CSR Decoder.

  • How do I install a wildcard certificate?
    A wildcard certificate is installed the exact same way that a normal certificate is installed. The only difference is the * character in the common name field which the web browser knows how to handle. Nothing extra is needed to install the certificate on the server.
  • What is reissuing a certificate?
    Reissuing a certificate allows you to create a new certificate based on a new private key. This allows you to install the certificate on a new server without moving your current private key or replacing the current certificate if your private key is lost or compromised. Many certificate authorities offer free reissues but some have more limited options. In order to reissue your certificate you will just need to create a new CSR and then process the reissue and receive a new certificate within your account with the certificate authority. Then you can install the new SSL certificate that is based on your new private key.
  • Do I have to buy a new certificate if my server crashes?
    No. Most certificates allow you to reissue the certificate with a new private key if you lose the current one. Still, it is a very good idea to backup your certificate and private key.
  • How do I backup my private key?
    Without your private key, your digital certificate is useless. It isn't possible to recover a private key with the certificate. The certificate authority that creates the certificate never sees your private key, so they can't help you if you lose it! If you do lose your private key you can create a new one and try reissuing the certificate with the certificate authority.
  • What are Phishing Scams?
    Phishing Scams are where a scammer will try and get personal or financial information by creating a fake site that offers products or services in exchange for registration and/or payment. For example, some scams will email you with a link to what appears to be your banks homepage - when in fact the site is a copy designed to gather login details. Avoiding Phishing Scams Banks and online payment gateways use EV SSL - an Extended Validation SSL Certificate. This SSL makes the address bar of your browser turn green - and by clicking on the padlock icon, you can see more details on the EV SSL including who it is officially registered to and when it runs out.