Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Choosing your ssl certificate V01
1. SSL Europa - 8 chemin des escargots - 18200 Orval - France T: +33 (0)9 88 99 54 09
Expert opinion
How to choose your SSL certificate ?
Date : 03/13/2014
2. Summary
1) What does the SSL certificate?........................................................................................................ 3
Certification Authority......................................................................................................................... 3
2) Use and implementation................................................................................................................. 4
3) The different types of certificates................................................................................................... 5
Types of validation .............................................................................................................................. 5
RGS* certificates.................................................................................................................................. 5
« Wildcard » certificates and SAN....................................................................................................... 5
SSL Unified Communication certificates ............................................................................................. 6
The period of validity........................................................................................................................... 6
Key sizes .............................................................................................................................................. 6
The multi-domain certificates ............................................................................................................. 6
Self-signed certificates ........................................................................................................................ 6
4) How to choose his SSL certificate?.................................................................................................. 6
Dynamic seal........................................................................................................................................ 7
5) How is it created? (for experts)....................................................................................................... 7
Asymmetric cryptography................................................................................................................... 7
Website authentication....................................................................................................................... 8
Encryption of data exchanges ............................................................................................................. 8
6) To conclude ..................................................................................................................................... 9
3. 1) What does the SSL certificate?
When you access to a website, data are not protected and can be intercepted.
For exchanges between the web browser and website encrypted, the standard used by the web
browsers editors and web servers is the Secure Socket Layer (SSL) also called Transport Layer Security
(TLS). By installing a SSL electronic certificate on the web server makes you go HTTP to HTTPS, the
secure version, and the exchanges are encrypted. A padlock appears on the browser or the address
bar and it becomes https://www.siteweb.fr . Be careful, a padlock displayed on a webpage has no
value.
So, if you are asked for confidential information or even a Login/Password on a website, it is
recommended to leave your information on a websites using a SSL certificate.
If you own a website, make sure the version https://www.siteweb.fr does not have invalid
certificate as it is often the case.
Certification Authority
The electronic certificate also ensures that the owner of the domain name is identified. If you click on
the padlock you can see the Certification Authority that issued the certificate and information about
the certificate owner.
Certification Authorities (CA) signed a contract with the publishers of Internet browsers and agree to
follow strict verification procedures before issuing a SSL certificate. This Certification Authority is
audited every year.
The web browser trusts the Certification Authority that issued after the required checks SSL
electronic certificate to organizations for domain names as www.organisation.fr. CA is the trusted
third party.
4. The Certification Authorities are gathered in the Certification Authorities (CA) and Browser Forum or
CAB Forums https://www.cabforum.org/forum.html
2) Use and implementation
SSL certificates can be used for web servers, but also to encrypt VPN or electronic messaging.
To obtain a SSL certificate, you must first create the private key and the public key on the server. For
this you can use commands such as OpenSSL or the graphic interface of the server. Then you install
the private key on the server and send the public key at the Certification Authority you have chosen.
This Certification Authority will do the usual checks, which may include a KBis, a call via the directory
to the person who is registered on the KBis, depending on the type of certificate. Checks may take
several days also, it is necessary to do it in advance.
Third party
Web site identification
Encryted
Certificate request
You on the web
5. 3) The different types of certificates
There are several types of certificates based on the level of verification carried out by the
Certification Authority (CA), the validity.
Types of validation
The Domain Validated (DV) certificates for which the CA checks the domain name belongs to its
owner. It is the lowest level of security. It may be used for an Intranet for example and it’s delivered
very quickly.
The Organization Validated (OV) certificates for which the CA checks the existence of the
organization that owns the domain name. It is the most used now and it may be used for a non-
commercial website.
The Extended Validation (EV) certificates for which the CA check the physical, legal and operational
existence of the organization. It is the highest level of security and is more and more used. It has the
advantage of displaying a green bar in the browser to reassure customers. The e-commerce websites
use these certificates.
RGS* certificates
The French Government established a standard named Référentiel Général de Sécurité and defined
validation processes for SSL certificates for public French organizations. They are certificates to use
for public organizations. They are close to EV certificates.
« Wildcard » certificates and SAN
Certificates are valid for one or several domain names/subdomains as www.entreprise.fr,
extranet.entreprise.fr, www.ecommerce.com, for example. It is said that the SSL certificate is valid
for a main domain name as www.entreprise.com more than for Subject Alternative Name (SAN) such
as extranet.entreprise.fr
In some cases, organizations want to have a valid certificate for a domain name such as entreprise.fr
and all subdomains such as extranet.entreprise.fr, intranet.entreprise.fr , ecommerce.entreprise.fr ,
etc. This allows to add subdomains names without having to recreate a new SSL certificate.
Wildcard certificates are not the most secure because it is better to nominate the domain names and
subdomains for which the certificates are valid.
Wildcard certificates are available in OV and DV but not in EV and RGS*.
6. SSL Unified Communication certificates
These certificates are identical to the DV, OV and EV. The name, Unified Communication simply
means that these certificates are tested for electronic messaging and the associated documents are
provided.
The period of validity
SSL certificates have a period of validity. The domain name may belongs to another person, the
organization can evolve, etc. The periods of validity are 1 year, 2 years and 3 years, excepted for EV
and RGS* certificates for which the period is limited to 1 year or 2 years. Some suppliers of SSL
certificates offer them with an extra-period of 3 years, but these times are rarely requested, for
security and costs reasons.
Key sizes
The key sizes of SSL certificates used to be of 1024 bits. Today, it is possible to defeat with success
1024 bit keys. Keys of SSL certificates are 2048 bits. Some browsers does not validate the keys of
1024 bits anymore. We also recommend you to choose the encryption algorithms of 256 bits or
SHA2.
The multi-domain certificates
Some companies offer cheap SSL certificates or for free, packaged with other offers. You must be
careful. They are often multi-domains certificates of different clients, as an ID card for several
people. For your security and image, this is a practice to banish.
Self-signed certificates
The self-signed certificates can be generated by itself by using OpenSSL commands. These certificates
are not validated by a CA and are not recognized by the internet browsers that generate an error.
Even for an intranet, it is more convenient to use a SSL certificate delivered by a CA. For this last case,
a DV certificate is sufficient.
4) How to choose his SSL certificate?
Firstly, you must choose the types of SSL certificates you need. The CAs that deliver certificates also
provide offers for which the organization and domain names are previously validated, and for which
you own a graphic interface allowing you to auto-deliver you certificates included in this list of
certificates previously validated.
7. When you buy a SSL certificate, you must choose the types of certificates that you need depending
on your needs and contact a SSL certificates dealer.
It is very important to have a good service quality to assist you in the key extraction and the
installation of the certificates, having advices on the certificates to choose and the audit quality
made.
The prix fluctuate for a 1-year certificate depending on the type from 100€ to 700€. The annual
tariffs are decreasing with years. They are also decreasing depending on the volume of certificates
acquired.
As for the cloud you may be sensitive to where the CA is and where information on your organization
is stored. Choose a CA you trust.
The transmission time will be between 1 day and 3 days depending on the type of certificate and this,
from the moment you have gathered the necessary documents to verify.
Dynamic seal
Some CA offer a dynamic seal: “Secure by Keynectis” or “Norton Secure verified by Verisign” for
example. When the user click on the logo on your webpage, information relative to the certificate
are displayed in a new window in https at the domain name address of Keynectis.com or
Verisign.com for example.
5) How is it created? (for experts)
Asymmetric cryptography
In 1975, Wilfried Diffie and Martin Hellman developed a mathematical algorithm that can be
different to encrypt and decrypt a document. There was a key allowing to encrypt and a different
one, allowing to decrypt the document. Someway, a key allows to close a locked safe and another
one to open it. This technic was named asymmetric cryptography, as opposed to the symmetric
cryptography.
With symmetric cryptography, it was possible to deduct the decryption process thanks to the
encryption method. This is not the case with the asymmetric cryptography. This discovery had a
significant impact.
The symmetric cryptography included major problems. It was necessary to give the encryption
combination with the person who had to make the decryption. It was a different key to communicate
with each party confidentially. It required an important list of keys. This technic was not efficient in
the digital world. The asymmetric cryptography was the new solution because each person has his
private key that nobody else knows and a public key that everybody knows and that can be freely
exchanged.
8. If we encrypt a message with the public key, only the person with the corresponding private key can
decrypt the message. It is no longer necessary for each person to keep confidential a set of
symmetric keys for each partner with whom we want to communicate with an encrypted way
Website authentication
The SSL certificate of a web server has two keys. A public key and a private key. The public key is
communicated to all and the private key is confidential and only kept by the web server for a domain
name. The web browser uses the encryption public key to encode a random message. Only the web
server can decrypt and send back this message because it is the only one to get the decryption
private key. The web browser can clearly identify the website.
Encryption of data exchanges
The web browser and the web server negotiate the highest encryption level they can support both.
The web browser sends a confidential symmetric encryption key by using to encrypt it the
asymmetric public key of the web server. Only the web server can decrypt this symmetric session
key. The web browser and the web server can communicate on an encrypted and confidential way by
using a session key.
6) To conclude
Sending a hazard
Negociation of the encryption
algorithm
Sending the encryption
session key
Negociation of the encryption
algorithm
Decryption of the session key with
the private key
Sending the certificate and
the signed hazard
Generating an encryption key
Encryption of the session key with
the server public key
Verification of the SSL certificate and
the signature.
The secret session key is shared
9. 6) To conclude
There are many types of certificates. The suppliers can help you in your choice and the installation.
The number of certificates used on the internet reached, according to Netcraft, 2 885 224 valid
certificates in Febuary 2014 with an average growth of 12 000 monthly. This trends is accelerating
and the SSL has become an essential technology to protect its websites.
SSL Europa
8 chemin des Escargots - 18200 Orval France
www.ssl-europa.com