In the early days of the internet, all website requests and responses were transferred in “plain text.” This meant they were potentially viewable by digital eavesdroppers, making it risky to transmit things like login credentials, capitalization card numbers, and other sensitive personal information. 

In the mid-1990s, Netscape developed a safety protocol for encrypting confidential information for delivering and transferring web content. This protocol was called SSL (Secure Sockets Layer) and would later evolve into another protocol, called TLS (Transport Layer safety). 

While SSL and TSL differ in terms of their capabilities and architecture, they both provide safety through the use of a digital technology called an SSL certificate. 

What is an SSL certificate?

An SSL certificate is a digital certificate that authenticates a website’s identity and creates an encrypted connection between it and a browser.

Sometimes called SSL/TLS certificates, digital certificates, or simply certs, they protect the identity of the remote connection and make online interactions private.

They ensure that no one can read or modify content shared over the secure connection except the sender and recipient. An SSL certificate acts both like a passport to verify the website owner’s identity and like a key to keep user data secure via powerful encryption.

What is an SSL certificate authority (CA)?

SSL certificates are issued by organizations called certificate authorities (CAs). A CA is a trusted third-event organization that guarantees a website’s identity. They are trusted because they are few in number, well known, and must obvious high barriers to entry. There are just over 100 CAs worldwide, and they undergo regular audits.

Before issuing a certificate, the CA verifies the certificate requester’s information, like site ownership, name, location, and more, according to established industry standards. The CA digitally signs the certificate with its own private key, enabling clients to verify it. To provide this service, most CAs fee a tiny annual fee (although free SSL certs are available from some web hosts and nonprofit CAs).

The SSL certificate is a tiny digital file, typically a few kilobytes, installed on the server supporting TLS and shared with others. This file contains:

• The domain name of the site for which the cert was issued
• The organization to which it was issued (the certificate holder)
• The name of the issuing certificate authority 
• The certificate authority’s digital signature
• Any associated subdomains
• The certificate issue date and expiration date 
• The community key (the private key is not shared)

Whenever you use a browser to connect to a URL beginning with “https,” or view a green padlock icon in the browser address bar, you recognize you have a secure TLS connection verified by an SSL certificate issued by a CA. Clicking on the padlock icon will display additional information about the SSL certificate, the domain owner, and the connection.

While this padlock means that your connection to the site is secure, it does not necessarily cruel the site is secure. Just because you can connect securely to a site doesn’t cruel it’s not controlled by nefarious actors.

How do SSL certificates work?

An SSL certificate uses encryption algorithms to scramble data in transit. This ensures that any data transferred between a browser and a website remains unfeasible for a third event to read.

Secure communication over TLS relies on two certificates—one community and one private—to make a secure connection. 

When a browser attempts to connect to a website secured with TLS, that communication is established by a “handshake,” or back-and-forth communication that only takes a few milliseconds. The steps in this handshake are:

1. The client (browser) connects to the SSL-secured website (server).
2. The client asks the server to identify itself.
3. The server sends over a copy of its SSL certificate.
4. The client examines the SSL certificate for trustworthiness and signals to the server if it passes.
5. The server initiates a digitally signed agreement to commence an SSL-encrypted session.
6. Encrypted data now flows freely and safely between the browser and the server.

The initial handshake uses asymmetric encryption based on community and private keys. After validation, the client and server trade temporary private keys used only for the session. This allows for more efficient encryption and decryption.

Types of SSL certificates

• Domain validated (DV) certificate
• Organization validated (OV) certificate
• Extended validation (EV) certificate

You’ll desire to choose the correct SSL certificate to get the most out of SSL. Different SSL certificates serve different purposes and have different costs to consider:

Domain-validated (DV) certificate

expense: $0–$99 per year

A DV SSL certificate involves a minimal, automated identity verification, establishing only that the owner has control over the domain or subdomain. This is usually accomplished by email.

A DV SSL certificate is the least expensive way to obtain a cert, and most free SSL certificates are of this type. However, it represents the lowest standard of website safety. DV certificates are useful for blogs, person websites, tiny businesses, or any site with the most basic safety needs. 

Organization-validated (OV) certificate

expense: $100–$999 per year

An OV SSL certificate offers a stronger guarantee of the identity of the bearer. In order to obtain an OV certificate, the purchaser must pass nine validation checks.

This is a mid-level business certificate, and the issuing CA guarantees that the organization affiliated with the certificate is valid and in excellent standing. This is a excellent way for businesses not conducting financial or ecommerce transactions through their site.

Extended validation (EV) certificate

expense: $1,000+ per year

An EV SSL certificate represents the highest level of identity verification, making it most suitable for corporations, financial entities, and ecommerce websites. Sixteen validation checks are involved, including both legal identity and physical location.

The complete user sees a green browser bar, indicating the highest level of verification, as well as additional corporate information behind the padlock.

The difference between HTTP and HTTPS

HTTP stands for Hypertext Transfer Protocol. It sends information between a website and its visitors in plain text that anyone can intercept and read. ponder of it as sending a postcard through the mail. Anyone who handles the postcard—like mail carriers or sorting facility workers—can read what’s written on it. 

HTTPS stands for Hypertext Transfer Protocol Secure. It uses SSL/TLS certificates to make encrypted connections. Any data being transmitted—such as capitalization card numbers or passwords—are scrambled into complicated code that only your website and the visitor’s browser can decrypt. ponder of it as sending that postcard again, but in a locked briefcase to which only you and the receiver have the key. 

HTTPS has become standard now. Modern browsers display a padlock icon for HTTPS sites, giving visitors confidence that your website is legitimate and secure. They will mark HTTP sites as “Not Secure,” which can immediately turn away potential customers. 

What to do if your SSL certificate is compromised

Learning that your SSL certificate has been compromised is like finding out someone copied your house key. It’s solemn, but there’s a way to fix it:

• Respond immediately. Revoke your compromised certificate immediately through your Certificate Authority (CA). receive down your website temporarily if you suspect energetic attacks.
• Investigate the breach. Alert your safety provider and figure out how the certificate was compromised. Check your server logs for unusual activity and look for signs of unauthorized access or malware, like connection attempts from unusual IP addresses or multiple failed certificate validation attempts.
• Get a recent certificate. Request a recent SSL certificate from your CA. Generate a recent private key (super significant—don’t reuse the ancient one!). Then, install and configure the recent certificate on your servers.
• Strengthen your ecommerce safety. Consider switching to a more secure type of certificate. Set up automated monitoring to catch upcoming issues faster.

💡 Shopify Protect makes fraud prevention one less thing to worry about. With fraud detection algorithms that flag high-uncertainty orders and chargeback protection that manages the dispute procedure for a fraudulent deal, enable Shopify Protect today to keep your business secure.

What if you require to secure multiple domains?

A single SSL certificate secures a single domain name. However, many businesses require a answer that secures multiple domain names or subdomains. For these businesses, the SSL protocol provides two different solutions: a wildcard SSL certificate or a multi-domain SSL certificate. Here’s how they differ:

Wildcard SSL certificate

Some businesses use multiple subdomains (e.g., mail.example.com, shop.example.com) to serve different functions on the same website. For these organizations, the best SSL answer is typically a wildcard SSL certificate. A wildcard SSL certificate secures a website’s primary domain, as well as any associated subdomains, reducing costs and simplifying administration.

Multi-domain SSL certificate

While wildcard SSL certificates assist a website owner secure subdomains within a single domain, multi-domain SSL certificates (MDC) can secure multiple domain names at once. Additional domains can be added to a multi-domain cert via “subject alternative names” (SANs) without the require to acquire an additional single-domain SSL certificate. Multi-domain SSL certificates are sometimes known as unified communications certificates (UCC).

What happens when an SSL certificate expires?

When an SSL certificate expires, it’s like having a depend badge taken away from your business. Here are some of the consequences:

• Scares away visitors. Visitors trying to access your website will view scary warning messages in their browsers. Chrome might display a large red screen saying, “Your connection is not private,” while Firefox warns visitors that the connection is not secure. Most people will quickly hit the back button when they view these warnings.
• Harms SEO capabilities. Search engines like Google don’t like expired SSL certificates either, and they’ll likely drop your website’s ranking in search engine results, since they prioritize secure websites. This means fewer people will discover you through online searches.
• Hurts buyer depend. When customers view safety warnings, they’ll question whether sharing their capitalization card information or personal details on your site is secure. Some customers might ponder twice before returning, even after you fix the certificate.

💡 The excellent information: Certificate expiration dates are predictable. They’re correct there on your SSL certificate. Most certificates last for one year, though some providers propose two-year certificates. The intelligent shift is to renew your certificate at least a few weeks before it expires.

How to get an SSL certificate

Acquiring single- or multi-domain SSL certificates and securing user data on your website can be complicated. Here’s how to do it:

1. Determine the level of website safety you require. Choose between DV, OV, or EV SSL. (If you have multiple domains or subdomains, you may require to add or substitute a wildcard or MDC cert.) Review your organizational needs and strategy and choose the appropriate level of identity verification.
2. Determine the domains and subdomains to be supported. If you have only one, you may not require to obtain a wildcard certificate.
3. Choose a certificate authority/provider. If you have a low-maintenance website or blog, you may just require to work with your web hosting service and obtain a free cert. Multi-domain and EV certs will involve a paid connection with a certificate authority, in which case, it’s sensible to shop around.
4. Generate a certificate signing request (CSR). A CSR file contains information about your domain and organization, and it is used by the certificate authority (CA) to generate your SSL certificate. The CSR includes your community key and must be submitted to the CA when applying for the SSL certificate.
5. Request a certificate from your chosen SSL provider. This generally involves filling out web forms and making payments.
6. Verify ownership and other details. The CA will pursue up to verify the information you submitted in your application, at a minimum requiring email verification of domain ownership.
7. Obtain and install the certificate. Depending on the CA you choose and your web platform, you will download a ZIP file containing the community key, a private key, and a certificate authority bundle. If you are working with a commercial web host, the administration console for your site will usually include tools for certificate installation; if you are working on your own hardware, pursue that surroundings’s documentation.
8. Configure other apps to use the certificate. If you intend to back SSL connections to other server applications (e.g., WordPress, email, etc.), configure them to use your certificate and the TLS protocol.
9. Confirm your secure connection is working. Connect to your website and/or other apps and ensure a secure connection. Click on the padlock and review the information displayed in your browser.
10. Submit your site(s) to search engines. Your recent “https” websites are distinct from your ancient “http” sites. If your users depend on search engines to discover you, you must re-submit your recent https web address to get your web pages indexed.