Secure Sockets Layer (SSL) Overview
The Basics
SSL is short for Secure Sockets Layer. It is a mechanism for encrypting data between your computer and another, as well as verifying the identity of a server. One can specify a special URL to tell a web browser that it needs to open a secure connection and encrypt all data.
URL not using SSL: http://www.example.com
URL using SSL: https://www.example.com
You may have seen SSL used when you login to your bank's online web access to view your account information or when using an eCommerce shopping cart checkout.
How It Works
When your web browser requests a secure page (using a 'https' URL) the server sends it's public key and SSL Certificate to the web browser. The web browser then checks the identity of the server against the certificate and ensures that they match (or displays a warning if they don't). The browser will then encrypt the request for data and send it to the server. This request could be a simple request asking for an HTML document or a more complex request that involves sending a username and password. The server will then decrypt this request, process it, and then encrypt the response. When the server has returned the requested information, the browser will decrypt it and display it for you.
The Technology
The basic components of SSL are a public key, a private key and a certificate. Each computer can generate a private key that is used only on that computer for decrypting information. However, in order to encrypt it to begin with the computer can generate a public key that it can distribute to the world in general. This way, a sending computer can encrypt data using a public key, but only the intended recipient can decrypt it using the private key.
For a more technical overview, please refer to the Linux Documentation Project SSL How-To.
Do I Need SSL?
That depends.
-
If you are just running a basic website with pictures of your dog and maybe a small blog, you probably do not need SSL.
-
If you want to check your webmail with a secure login, SSL is already available on the server for your use.
-
If you need a secure encrypted login for a private customer area of your business website, then you do need SSL.
If you are running an online store where people are providing you with credit card information into a web form, you will definitely need SSL.
Basically, the average website will probably not need SSL. eCommerce sites and other business-related sites that need a secure connection, will need SSL.
Different Kinds of Certificates
Trusted Root
Some companies operate a Trusted Root Authority. They are established companies, and they've paid good money to have their root certificates included in your web browser (whether it's Internet Explorer, Firefox, Safari, Opera, etc). Your browser will automatically "trust" any certificate that has been issued by these authorities directly. These certificates are usually issued by GeoTrust, Verisign or Thawte. This is how it looks to your browser:
Server sends certificate to browser for verification.
Browser checks the issuing authority (eg, Thawte) on the certificate.
Browser then checks it's internal list of trusted roots.
Browser says "OK! - I believe you are who you say you are!"
Chained
Other companies operate certificate authorities, but they aren't trusted roots. They usually issue Chained Certificates based on root that is issued by one of the Trusted Roots servers. This is how it looks to your browser:
Server sends certificate and a "chain certificate" to browser for verification.
Browser checks the issuing authority (eg, XYZ company) on the certificate.
Browser say, "I don't know who you are. But I see you were issued by XYZ and that you've included XYZ's certificate".
Browser then checks the chain certificate and sees that it's issued by a Trusted Root.
Browser then checks it's internal list of trusted roots.
Browser says "OK! - I believe you are who you say you are!"
Self-Signed
You can also work with self-signed certificate. This is the kind of certificate you might encounter when using a secure login on a shared server. This certificate is still good for encrypting data, but there is no third-party verification process used to identify the server sending the certificate.
Server sends certificate and a "chain certificate" to browser for verification.
Browser checks the issuing authority (eg, XYZ company) on the certificate.
Browser say, "I don't know who you are. I see you were issued by yourself, and not by a Trusted Root".
Browser then displays a warning dialog saying that the certificate could not be verified automatically.
User decides whether to accept the certificate or reject the certificate.
Manage Your SSL Certificate
If you wish to make changes to your SSL certificate before it expires, such as updating the domain name or WHOIS information or switching the SSL certificate to a new server/host, then you must request to have the certificate reissued. After the SSL has been reissued, re-installation is required.
Renew an SSL Certificate
When it is time to renew an SSL certificate, you must purchase and install a new certificate; this applies to reissued certificates as well. When you renew your SSL certificate, you will need a new CSR. When the SSL certificate is issued, you will receive three different groups of alphanumeric data sent from the certificate provider:
-
The SSL certificate
-
A CA bundle (possibly)
If you purchase an SSL certificate from us, we will install it for free. If you purchase an SSL certificate from a different company, we will ALSO install that for free!
If you do not wish to renew an SSL certificate, simply allow it to expire.
See also All About RSAs and CSRs, Generate SSH Keys and Connect to Your Account via PuTTY (Windows), Install an SSL Certificate, Transfer Current SSL to New Account