SSL Certificates

Keeping information secure on the Internet is not a trivial task.  The Internet was not designed to hide data: instead, data is sent with no protection at all from snooping.  With the development of the World Wide Web, and the growth of e-commerce, the need for protecting customer information, including personal data such as address, credit card numbers, and identity numbers became critical.  A number of techniques were developed, but one has become a standard for the Web: SSL.

When you connect to a web server from your browser, the connection is almost always without any protection at all.  However, most e-commerce sites have adopted SSL as a way of protecting both their customers and their own information.  You can tell when SSL is in use by the URL changing to “https” instead of “http” and the lock icon appearing on the browser window.  On newer browsers, the entire URL entry field turns green to show when an SSL connection is in place.

But what is SSL?  And, more importantly, how do you set up your own web server to use SSL?  That’s what we’ll look at here.

What is an SSL Certificate?

Secure Sockets Layer (SSL) is a method of creating an encrypted connection between web servers and browsers.  All information passing in either direction over this link is encrypted and safe from casual snooping.

In order for a web server to create an SSL connection with a browser, an SSL Certificate is required. The SSL Certificate provides the information a browser needs to connect securely with the server.

When you set up your web server to support SSL, the SSL Certificate is used to create two special numbers, called “keys”.  One of these keys is a private key that only your web server knows.  The other is called a public key, which anyone can obtain.  Anyone can send you information encrypted with your public key, which your browser can automatically obtain, but only your web server can decrypt these incoming messages using the private key (not the public key). All of this encrypting and decrypting remains hidden to the user: the web server and the remote user’s browser takes care of everything automatically.  However, without the public key, no connection to your web server can be created using SSL.

The public key used by your web server is placed in a “Certificate Signing Request” or “CSR”.  The CSR is just a data file that contains information about your web server, as well as the public key.  This CSR is then shared with the world, allowing anyone to connect to your web server using SSL.

Why bother with an SSL Certificate?

Put simply, if you sell anything on the Web, or gather information about your customers (especially sensitive information such as credit card numbers or personal data that is not usually in the public domain) you need an SSL Certificate.  Many savvy customers are now aware of the issues of privacy on the Web, and will only use sites that protect their information using SSL.

You might also want to consider an SSL Certificate if you deal with information that might be of use to your business competitors.  For example, if you provide your customers access to your network or a network application, you should strongly consider an SSL Certificate so others cannot see the information that is on your network, or transferred between your server and the customer.

You also need to consider an SSL Certificate if you have multiple offices, or have employees who connect remotely.  While VPN software can be installed to protect data, often an SSL Certificate is an easier and
less expensive way to provide connections between remote sites.

Finally, SSL Certificates are required in some situations where privacy laws and regulations are in place.  Some companies you might deal with will require certain security precautions of their customers or suppliers, for example.  In these cases, you can meet most international security requirements using SSL Certificates.

One last point: using an SSL Certificate is a simple way to show your customers or those who connect to your Web server that you care about privacy and their personal information.  It’s a little bit of assurance for them that usually reaps huge benefits in the way people see your company or organization.

Getting an SSL Certificate

In order to use SSL on your web server, you need an SSL Certificate.  In theory, you could create your own certificate and CSR, but it would not be widely distributed on the World Wide Web to allow browsers to connect to your server.  Instead, SSL Certificates are managed as part of the WWW infrastructure, regulated and controlled by companies and organizations called “Certificate Authorities”. SSL Certificates are issued to companies usually, but individuals can apply for a certificate too.

When you apply for an SSL Certificate, which is used to create the public and private keys used to encrypt data to and from your web server, you are asked for information about your domain name. For some certificates, you are also asked for your company name and your address.  Each SSL Certificate contains an expiry date after which the certificate is no longer valid, as well as information about the Certificate Authority that issued the SSL Certificate.

Many ISPs also act as Certificate Authorities (although not all ISPs do offer this service).  Fortunately, it doesn’t matter which ISP you use, since an SSL Certificate can be issued for any domain, whether it’s hosted on the Certificate Authority’s machines or not.  If you have your web server hosted on an ISP’s server farm, you may find it easiest to use them to register your SSL Certificate, but you can just as easily use the least expensive Certificate Authority and transfer the certificate at any time.

Costs for SSL Certificates vary depending on the Certificate Authority, as well as the type of certificate you want. Many ISPs and registrars offer several types of SSL Certificates.  There is little effect on a customer connecting to your web server as to which type of SSL Certificate you have, but there is a difference in the data stored in your CSR.

The simplest is a basic SSL Certificate that can be acquired without verifying your company or you individually. Usually, all the Certificate Authority does is confirm your domain is registered. The SSL Certificate contains only your domain name, and no information about your company.  This type of SSL Certificate is easy to obtain (all you need is a domain!) and can be issued in seconds.

The higher level SSL Certificates add information about your company, address, and contact information.  These certificates usually require verification of the company’s legal status, as well as identities of those making the request for an SSL Certificate.  Typically, these SSL Certificates cost more, and often require hours (or even days) to be issued.

Creating a CSR

There is a three-step process used by most Certificate Authorities when you buy an SSL Certificate:

1. Create the CSR on your web server
2. Purchase the SSL Certificate using the CSR information
3. Install the SSL Certificate

The process to creating a CSR is different for each type of Web server software, unfortunately, but luckily most Certificate Authorities have step-by-step instructions that show you how to create the CSR.  For the example below, we’ll use Microsoft’s Internet Information Manager running on a Windows 2003 Server machine, a typical configuration for a business.  If you are using a different web server, the concepts are similar but the individual process will be different, of course.

To create a CSR for IIS 6 under Windows 2003 Server, follow these steps:

1. Open the Internet Information Services Manager (under Administrative Tools)
2. Right-click on the Web site that the certificate it to be applied to, and select Properties:

3. From the Properties sheet, select the Directory Security tab
4. Click Server Certificate:

5. The Web Server Certificate Wizard appears.  Click Next
6. Click “Create a new certificate”:

7. Click “Prepare the request now, but send it later”:

8. In the top field, enter the name of the certificate (usually this will correspond to your domain name, but it may not if you manage multiple entities). You can leave the bit length at 1024 (if you are using a 40-bit only version of Windows Server, you can only generate 1 512-bit key):

9. Enter your organization and unit name (business name and department, often):

10. Enter the name of your web server or the URL to the domain (use a fully qualified domain name). Note that the name has to be specific to the secure component of the web site.  For example, if you enter the name “abc.com” but the actual secure site component is “secure.abc.com” the certificate will not be valid:

11. Enter your country and base address information (not all certificates will use this information, but it does no harm to include it anyway):

12. Enter the filename where the certificate is to be stored:

13. Click Next, and the confirmation dialog appears. When you click Next at this point, the certificate is created.

At this point, you now have a CSR ready to send to the Certificate authority to be bound to your SSL Certificate. The CSR is encrypted and will have special identifiers at the start and end. A sample CSR looks like this:



After the CSR is created, you can now buy an SSL Certificate and associate it with the CSR.

Continued in SSL Certificates - Part 2