How do SSL certificates work and how do they provide security?

This article was originally published on October 12, 2020. It was updated on December 20, 2021.

What is SSL?

Before learning how SSL certificates work, it's important to cover some basic information. SSL or Secure Socket Layers is the name of a system or 'protocol' used on the internet to secure information as it travels across the internet. SSL is actually the 'old' name for the protocol, and today it's known as TLS or Transport Layer Security. SSL/TLS is the 'S' in 'HTTPS' that makes the connection to your website secure.

Without SSL, the information you enter into a website such as your passwords, credit cards and other personal information can be intercepted and read or tampered with. When you have an SSL certificate in place on your website, the information sent from a user to the site is encrypted so that anyone able to intercept that data can only see scrambled information and your users' private data is secure.

SSL/TLS also provides some authentication of the domain name, ensuring that you are visiting the 'real' website on that domain name.

How do SSL certificates work?

In order for a website to use SSL/TLS, you will need a certificate. A certificate is actually a small file that you must have installed on your web host or web server, and it is a combination of an encryption 'key' (known as a 'public key') and some identity information –

 such as your domain name and your business name and address. Think of it as a digital 'passport' to identify your website.

Once you have the certificate installed on your website and HTTPS enabled, users can browse to the site securely. In doing so, their browser initially contacts your site and fetches the certificate. The browser then 'verifies' the certificate – again, much like a border agent would verify your passport. The browser checks if the certificate is in date and not expired —  certificates have a finite lifetime, generally one year, and you need to renew them annually.

The browser checks the domain name within the certificate matches the website address being visited, and also checks that the certificate is issued by a trusted authority – making sure that the information within the certificate has been verified by a trustworthy source. 

What types of SSL certificates are available?

Certificates are obtained from 'Certificate Authorities' or CAs – companies that produce certificates. There are only a small number of these companies, as operating a CA is a complex task. Not only in terms of producing the certificates but verifying the information within certificates and ensuring to general internet users that they are trustworthy and are performing this verification correctly. CAs are audited once a year and must maintain a certain standard of secure operations so that their certificates are accepted by browsers.

There are three main types of certificates, varying only in the amount of information included within the certificate and how detailed the checking is on that information:

• DV - Domain Validation - the certificate contains only the domain name(s), which are verified by the CA using technical methods.
• OV - Organization Validation - the certificate contains validated domain name(s) just as a DV certificate, but also includes a company name and address. These details are verified with third-party databases like the country or state business register.
• EV - Extended Validation - this certificate contains not only validated domain name(s) but detailed company information that has been more thoroughly checked against an independent standard for this type of verification. The company must be fully legally incorporated, in good standing and individuals at the company must be contacted to confirm the certificate was requested and that they have signed agreements to request the certificate.

There are some additional sub-types of certificates which vary how domain names are included within the certificate – a single domain name, a domain name and all its subdomains (a wildcard certificate), or a list of many separate domains and subdomain (a multi-domain or 'unified communications' certificate).

The types of certificates above can be mixed-and-matched, so you can purchase a 'DV multi-domain certificate' or an 'OV wildcard' certificate depending on your technical requirements.

SSL Certificates can be purchased from a CA directly, but they can also be obtained from your web host who may often assist with the setup process, making enabling of security on your website as simple as one click.

How does SSL help my website?

First and foremost, you want to ensure your customers' information is not stolen or intercepted on your website. From a simple email form to a credit-card payment page – you need to ensure that customer information is protected.

Many web browsers today will not let a user enter sensitive information to a website without a certificate and may even show warning messages for your site leading to user abandonment and lost business. Some search engines use HTTPS and security is a ranking factor in search engine results, so having a certificate and HTTPS can be good for SEO. More recently, browsers have begun ensuring that newer browser features can only be used on secure websites. For example, if your site uses things like geolocation to discover where your users are, or webcam and microphone integration – you will need a certificate.

Ultimately, using SSL/TLS certificates and HTTPS on your website offers a strong layer of security and reassurance to your customers that they should trust and continue to do business with you, and that their information is protected when they use your website.

Author: Nick France | CTO of SSL at Sectigo

As CTO of SSL, Nick France is responsible for the technology and practices necessary to operate Sectigo’s global Certificate Authority (CA) and related services. Nick previously served for more than 15 years as Sectigo’s Technical Security Officer. He is based in Sectigo’s UK office.