SSL Certificate Glossary explains the terms and terminology used in the certificate deployment. Here at we defines the different SSL certificate terms and its meanings that will help the users to understand the concept of the certificate.
256-bit encryption is part of AES (Advanced Encryption Standard) encryption standard and is commercially used to encrypt the information traveling between the server and the browser. 256-bit offers highest protection compare to earlier 128-bit version.
2048-bit key encryption:
The 2048-bit key size is a new standard of encryption strength that works on RSA, DSA, and ECC encryption methods. It is used to generate CSR (certificate signing request). The earlier 1024-bit key size was used to generate the CSR.
Many website owners obtain an SSL certificate to secure login forms or payment checkout page and believe that they are safe against eavesdropping and sidejacking attacks. Therefore, Always-On SSL is emerging concept to enforce HTTPS on the entire website. It will save the web server from sidejacking and SSLStrip attack. It ensures the web users that the website is fully secured and authenticated.
Witfield Diffie & Martin Hellman are researchers who suggested Asymmetric encryption in 1977. Asymmetric encryption includes a pair of two keys, the public key is used to encrypt the file while the private key is used to decrypt the file content. The public key is kept with authorized individuals while the private key is only kept with a receiver.
Authentication refers the terms of verification that confirms the traveled message is not altered since it is created. Authentication follows the validation process to prove the identity of users or devices. For example, the browser tries to connect to the server and gets the copy of an SSL certificate to verify the reliability of a website.
The search engine has full rights to blacklist the malware infected website. Search engines help to get more traffic and lead for online businesses, so it is advisable to run website malware scan to identify malicious activities on your website. It is an ideal solution to avoid malware infection and search engine blacklisting.
Business validation is a one-step ahead in the validation process that not only verifies the domain ownership but also verifies the business existence. The certificate also carries 256-bit encryption and 2048-bit CSR encryption as per industry standard. If the visitor clicks on the HTTPS in the browser, there will be details of site registration, identification of website owner. Therefore, we can say that business validation brings more trust and confidence in the security of the website.
A certificate authority (CA) is an entity that issues and manages SSL certificates as well they have their own trusted root certificates. Few of them are Comodo, AlphaSSL, RapidSSL, Thawte, GlobalSign, GeoTrust, and Symantec. These CAs validates the identity of an SSL seeker and his business, after verifying every detail.
An expiry of a certificate refers to a date after which the certificate is no longer trustworthy. Even the browser will show a warning of untrusted connection when a user visits the website. After certificate expiry, a website owner has to renew the certificate.
Certificate revocation refers to circumstances like certificate mis-issuance or certificates compromised. Once the certificate is revoked, the majority of browsers will not trust such certificate and show untrusted certificate error.
Chained Root Certificate:
Most certificate authorities use their own Trusted Root certificates already existing in the browser. However, some certificate authorities do not have their own Trusted Root CA certificate, so they use “chained root” for their SSL certificates to be trusted by browsers. A certificate authority issues a chained certificate, which inherits the browser recognition of the Trusted Root CA. Such certificates are known as chained root SSL certificates and their installation is complex compared to a single root certificate.
The checksum is a value that verifies the integrity of a data; it ensures that the data is transmitted without any error as a single mistake in data byte can make data unusable.
Code Signing Certificate:
Code signing certificate protects the integrity of the software code. The certificate ensures that the code is not altered since it is signed. Software generally downloaded from third party resources are deemed unsafe while the software signed by Code signing certificate are legitimate. Generally, such signed software comes with time and date stamp that is designed to beat the warning message to be shown in the case of the expired certificate.
A cookie is a tiny text file that recognizes user’s preference and makes a customized web page when a user again visits the same website. Such cookies are harmless and do not damage the computer.
CPS (Certification Practice Statement):
Certification Practice Statement is a set of policies and practices set by the certificate authority in issuance, management, revocation and renewal of the certificate. Every certificate authority follows their CPS for SSL certificate related practices.
CRL (Certificate Revocation List):
CRL is a list of revoked certificates which are no longer valid. The certificate authority regularly updates CRL list. Browsers generally use CRL list to check the status of revoked certificate. In case, if the certificate is revoked (not expired), the browser shows a warning of the untrusted certificate. To avoid, spoofing and DoS attack, CA signs the CRL and generally issues with the digital signature.
A hash function converts text or message into a specific size of the string. A hash function is also named message digest or checksum. Mostly used hash functions are MD5, SHA-1, and SHA-2. Earlier, MD5 and SHA-0 standards were found ineffective against collision attack while SHA-1 was also futile against theoretical attack. At present, SHA-2 is used to sign the content.
CSR (Certificate Signing Request):
A CSR (Certificate Signing Request) is an encrypted text generated by users on their own desired server while obtaining an SSL certificate. It contains information of a business like the common name (domain name), organization legal name, organization location, city, state, country, email address, etc. The CSR also contains public key while the private key is created at the time of CSR generation. The CSR is created in Base-64 encoded PEM format and includes “—BEGIN CERTIFICATE REQUEST—–” and “—END CERTIFICATE REQUEST”.
Digital signature is a procedure that ensures the message is not altered. Whether you deal with an email or the online transactions, the digital signature is required for content integrity. Once a sender sends an encrypted message using the public key, the receiver can decrypt the message with sender’s private key. Once the digital signature is verified means it is not altered.
Domain name refers the name of a website (for example, https://www.mysite.com) where the domain name is “mysite.com”. Every domain name has its extension (.org, .com, .gov, .ca) that shows where domain name belongs. Each web server has its own IP address and the domain name verifies it by translating a domain name into IP address with the help of Domain Name System (DNS).
Domain Validation Certificate:
Domain validation is a primary level of the certificate that carries equal encryption strength but requires no rigorous process like another type of certificates. Domain validation certificate only confirms that the person has control over the domain and rights to request a certificate for the domain. The certificate authenticates only domain ownership of an SSL applicant.
DSA (Digital Signature Algorithm) is an alternative to RSA algorithm. Many CAs use both encryptions to reach ecosystems across clients. The NIST (National Institute Standards and Technology) announced DSA encryption in 1991 and adopted by FIPS (Federal Information Processing Standard) in 1993.
Elliptic Curve Cryptography:
Before the arrival of ECC (Elliptic Curve Cryptography) algorithm, mostly public key algorithms were worked on RSA and DSA. ECC is utilized with a view to providing strong security and better server usage. If we compare the key length used in RSA and ECC, there is lot difference, for example – 256-bit ECC key is equal to 3072-bit RSA key. Because of reduced key size, ECC is expected to remain favorite in IT and security systems. ECC offers fast page loading, fewer server process compared to RSA. ECC is endorsed by the NSA and compliant with NIST 800-131A guidelines.
Encryption makes data or information unreadable by encoding it into the form that can be interpreted by the receiver. To decode the information, a receiver should have private key or decryption key. Earlier, encryption process was done on the base of a single key while in public key cryptography, there are two keys used: encryption and decryption.
Extended validation certificate is also named a green bar certificate. It not only offers robust encryption to the website but also follows strong verification process. Extended validation certificate is superior to domain and business validation hence, are slightly expensive. Moreover, extended validation offers phishing protection as a result, many websites have moved on EV SSL certificate. Customers easily put trust on websites that have EV SSL certificate as it furnishes highest authenticity and reliability.
FQDN is an abbreviated of Fully Qualified Domain Name on which the certificate authority issues SSL certificate. For example, you take www.mydomain.com, where “www” refers to the subdomain and “mydomain” is a root domain and .com is TLD.
Free SSL is a trial certificate given for limited period, is helpful for startups who want to experience web security at no cost. Free SSL offers an opportunity to learn about SSL enrollment, installment, and renewal process. After the trial period is ended, the certificate will be expired and a business has to renew the certificate or buy a new certificate at specified price.
Green bar generally comes with extended validation certificate that turns browser address bar into the green color. The green bar shows highest authenticity level of a website and ensures visitors that the website is verified by reputed certificate authority (CA) and is safe for online transactions. Moreover, the green bar shows your company name in the bar as a visual proof of website security.
HTTP Strict Transport Security:
HSTS is an addition of Always-On SSL policy as it secures website against protocol downgrade and cookies hijacking. The policy states that web servers and the web browsers can communicate using HTTPS secured environment. You can enable HSTS on your website by sending the HSTS header and supporting browser will convert any HTTP query into an HTTPS query.
HTTPS – Hypertext Transfer Protocol Secure
HTTPS (Hypertext transfer protocol secure) is a protocol that allows secure transaction over the web. An extra “S” adds privacy, secrecy and authentication to the traveling information. A HTTP site is vulnerable to attacks while HTTPS provides the secure mode to the information.
ICANN (Internet Corporation for Assigned Names and Numbers) is a nonprofit organization aims to keep the internet secure and stable as well takes care of Internet’s naming system (for example, IP address).
To keep root certificate behind the layer of security, most CAs use intermediate certificate so root keys remain secure. However, the root certificate itself signs the intermediate certificate. Intermediate certificate creates a chain of trust between the server certificate and root certificate. Users have to download all three certificates while installing SSL certificate on their server.
The IP (internet protocol) address identifies the computer or device on TCP/IP network. IP address is a 32-bit numeric address whose numbers varies from zero to 255 (for example – 126.96.36.199). IP address can be static or dynamic in which static IP address remains unchanged while dynamic IP has to be assigned every time to computer or device.
Key management relates to management of cryptographic keys that includes replacement, creation, storage and exchange of keys. Key management includes policy, training, interactions of an organization.
A key pair refers to private key and public key and is an integral part of PKI infrastructure and SSL certificate. Even if anyone knows a single key, it is impossible to discover the other key. One key is used to encrypt the information while another key is used to decrypt it.
Key size decides the strength of an algorithm, means more bits come with stronger security. For example, 1024-bit and 2048-bit root keys. The recommended key size of root key is 2048-bit RSA while SHA 256-bit encryption is used to encrypt the information. Due to a weak algorithm, SHA-1 signed certificate will be discontinued from 2017 therefore; most CAs support SHA-2 hashing algorithm.
Malware is a malicious program designed by hackers to steal information from your website or damage the system. Malware can be spread in the computer system in the form of a virus, Trojan, worm. A user can remove malware via proper anti-malware product or website anti-malware scan.
Malware scanning product analyses malicious activity and detects malware infection on the site and informs the website owner to take action against it. A website owner can schedule daily base malware scanning and ensures visitors that the website is clean and secure against nasty malware.
MD5 (Message Digest) is an old hashing method that creates 128-bit hash value. However, MD5 is not an encryption and works in a one-way function. Currently, most USA government departments use the SHA-2 hash function, as MD5 is weak against collision attack.
Microsoft Exchange Server:
Microsoft Exchange Server is an email message system used in business that runs on Windows servers. The server side is Microsoft Exchange server while the client side is Microsoft Outlook. It supports data storage and is compatible with mobile and web-based access.
MITM (Man-in-the-middle) attack is a type of eavesdropping activity. The attacker performs as an intermediary between the user’s browser and the web server without awareness of both parties. The attacker makes users fool by believing them that they are communicating with the legitimate identity. In reality, the attacker controls the whole conversation.
A browser displays “mixed content warning” means the non-secure HTTP resources are loaded over HTTPS secure page. A browser counts HTTP as an insecure content and shows padlock of degraded security. It may happen that some of the images, videos, scripts and other similar files are served over HTTP instead of HTTPS. Therefore to overcome this issue, you can learn how to fix non-secure items error on SSL secure pages.
Multi Domain Certificate:
Multi-Domain SSL has the ability to secure your multiple websites with a single certificate. Certificate authority verifies the common name and allows you to add multiple subject alternative names under a single certificate. You have to specify the number of SANs during order a multi-domain certificate.
OCSP is used to find the SSL certificate revocation status. It was made as a substitute of CRL (certification revocation list). OCSP responses to OCSP servers with less information compare to CRL and puts less burden on network and client. Messages sent via OCSP generally encompass ASN.1 (notation) and the message is generally sent out through HTTP. Such message receiver named OCSP responders.
The OpenSSL project is a software library that is used to secure communication on applications against snooping and confirms the identity of the relevant parties. It is an open source implementation of SSL/TLS protocols. The project was started in 1998 with a view to provide the free set of encryption tools to the internet.
Organization Validation Certificate:
Organization Validation certificate follows one step advance level verification process compared to the domain validation and confirms the business identity through the legal documentation. Organization validation establishes the identity of a business and proves the reliability of a website. Such validation shows customers that the website is safe to deal with it.
PEM (Privacy-enhanced Electronic Mail) is a common filename extension .pem, which is used for storing keys and Base64-encoded X.509 certificate. The .pem file contains public, intermediate and root certificates as well private key.
Perfect Forward Secrecy:
Perfect Forward Secrecy (PFS) is a secure communication protocol that is used to avoid compromised private keys being used for decryption by hackers. For example, if the website has been hacked and the private keys are compromised, then hackers will not able to intercept past communications of the server due to perfect forward secrecy . PFS is essential to secure against unexpected threats to SSL private keys. It ensures that there is no connection between private key and each session key.
Phishing is a fraud that mimics legitimate email or site and makes users victim. The object of phishing is to gather financial or personal information from users. EV SSL Certificate can help the web users to identify the phishing website, by displaying company name in the green address bar.
PKCS is an abbreviated form of Public Key Cryptography Standards that is published by RSA security. PKCS includes RSA encryption, password-based encryption, extended certificate Syntax and allows exchange information securely on the internet.
PKI is a security architecture that uses public key cryptography for authentication and enables the exchange of data in a secure environment using public and private cryptographic pair. It is a set of policies and procedures that help to create, revoke, and manage digital certificate. The object of PKI is to enable secure transfer of digital information across the range of networks.
Private Key is a part of public key cryptography or asymmetric encryption, is associated with SSL certificate. A private key is created along with certificate signing request (CSR) and used to decrypt the information that is encrypted with a public key. Private Key as the name suggest should be kept secretly and never shared with anyone.
The protocol is an agreed standard set for online communication in which sending and receiving information between data sources, network and servers is taken place. For example, SSL protocol follows preset rules for secured information exchange.
In a typical PKI system, the client uses a public key to encrypt the information while the server on other side uses the private key to decrypt the information. If we talk about industry standard encryption then 2048-bit key, 4096-bit key and ECC keys are in use at present time. If anyone deletes the private key, the public key will be unusable.
Public Key Cipher:
Public Key Cipher was discovered to solve key exchange issues resided in symmetric ciphers. It uses a key for SSL encryption. Public Key Cipher encrypts a session key that is used in symmetric encryption to encode the data. RSA, EPOC, SSL key encryption are part of the public key algorithm.
Public key Cryptography:
Public key cryptography is also named asymmetric cryptography. SSL generally works on two keys named public key and private key. Where public key is used to encrypt the message and private key is used to decode the message. Private Key should be kept secret while the public key is distributed publicly. Server private keys must be secured with password protection. In the case of SSL certificate reissue, a new key is generated and ensures that older keys are no longer effective.
Public Key Pinning:
Public key pinning avoids deceit, fraudulent or mis-issued certificates by hackers. Public Key Pinning allows website owners to assure about the certificate essentials like specified public key, signed public key, and chain of trust by CA. If the domain issued by the CA is not in the browser list, the browser with the support of public key pinning will show a trust dialogue warning.
Registration Authority (RA) is a part of the public key infrastructure (PKI). As an authority, it authenticates requester details and reports the certificate authority (CA) to issue the digital certificate.
When a certificate owner needs to change in certificate like private key, CSR, change in hashing algorithm then the certificate can be reissued. The reissue is free of cost and does not affect the validity of a certificate.
A root certificate is a top-most certificate in the chain of trust on which server and intermediate certificate are depended. The private key of a root certificate is used to sign other certificates. However, root certificate keys remain hidden and instead of it, the intermediate certificate is used for trustworthiness. Thus, root, intermediate and server certificate are part of a chain of trust.
RSA is a short form of Ron Rivest, Adi Shamir, and Leonard Adleman. RSA cryptography is suitable when faster encryption is needed. When it is a matter of verification of digital signature and public key encryption RSA cryptography is used. RSA works on the private and public key in which public key is used to encrypt the data while the private key is used for decryption of data.
Symantec developed Seal-in-Search technology that comes with SSL certificates by implementing Norton Secured Seal on the web. When web users search the query in the search engine, they see the Norton Secured Seal next to the web result. It will instill assurance to your web users and help to increase click through rate.
Secure site seal:
Most CAs offer Secure Site Seal at free of cost that comes with an SSL certificate. Secure site seal is a trusted mark that is placed on the web page or entire website to get an assurance of customers and visitors. Secure site seal can help you to reduce shopping cart abandonment and bounce rate.
A self-signed certificate is signed with an owner’s private key where the owner of the website himself follows signing process and verifies the website. However, the self-signed certificate also encrypts the information over the website but the browser doesn’t recognize such certificates and displays a untrusted warning message to web users. Attackers can easily compromise self-signed certificate and it cannot be revoked, so it is sensible to use legitimate CA certificate for brand reputation, customer loyalty, and trust. Learn the difference between the self-signed and CA signed certificates.
SHA-1 is a cryptographic hash function that produces 160-bit hash value. At present, SHA-2 is used instead of SHA-1 due to a weak algorithm. SHA-1 was succeeding version of an SHA-0 hash function. SHA-1 had collision attack in 2005 year since then; most certificate authorities are recommending SHA-2 algorithm for web security.
SHA-2 is a modern algorithm that has replaced its earlier version SHA-1 algorithm. Extensions like SHA-224, 256, 384 and 512 can be used to encrypt SSL certificates. A hash function turns the arbitrary set of data into single hash value. While purchasing SSL certificate, you can choose SHA-2 and ECC algorithm to get the best security for your website. How to migrate from SHA-1 to SHA-2 certificate?
Shared SSL certificate:
Shared SSL certificate is pooled among users instead of targeting to a specific user. However, the user will have the same level of encryption and security but your business name will not appear in the URL. For example, if the website is running on any shared SSL connection, the URL would be https://secure.yourhost.com/yourdomain.tld. The downside of Shared SSL is if the certificate is expired or not renewed, other users will also be affected. E-commerce companies should not use shared SSL certificate because of lack of unique domain name.
SMTP (Simple Mail Transfer Protocol) is a protocol used in sending and relaying email between servers. SSL is used to secure SMTP called SMTPS. SMTP is not used to retrieve email from a server.
SNI stands for server name indication that is an extension to TLS protocol. SNI allows a client to present multiple certificates on the same IP address and TCP port number. Most of the web browsers support SNI extension.
SSL – Secure Sockets Layer:
SSL as a security protocol secures communication between the data sender and receiver over the internet. SSL (secure socket layer) is used to provide data confidentiality, integrity and security between the client and the server. In SSL, the process of identity confirmation of a client is named as client authentication. SSL works on asymmetric cryptography for server authentication that uses digital certificates.
SSL certificate verifies the identity of a domain name and offers a security over the website. It further encrypts the data in transition and saves the data from tampering and snooping. Many certificate authorities offer different types of SSL certificates. SSL certificate offers data integrity, authentication, and protection.
SSL handshake is made at the start of SSL session that includes steps like – client hello, server hello, authentication and pre-master secret, decryption and master secret, a session key generation, and encryption with a session key.
A port is a medium where the browser connects to the server. SSL port is allotted to the web server for SSL traffic. Generally, SSL session made on web server follows 443 Port.
SSL Proxy is a router or device that directs non-secure HTTP traffic from a client to other server using SSL protocol. It also filters traffic for network and centralizes the traffic as well provides security.
Subdomains also called as child domains or lower level of the main domain name. For example, mail.yourdomain.com in which “mail” is a subdomain of a yourdomain.com. You can secure unlimited sub domains with a single wildcard SSL certificate.
The certificate authority (CA) requires an SSL applicant to sign subscriber agreement while issuing extended validation certificate. Subscriber agreement is a contract between SSL requester and the CA, which states about certificate issuance, money refund policy, warranties, revocation and many other term and conditions. However, domain validation and business validation do not require subscriber agreement.
Symmetric encryption uses the same key to encrypt and decrypt the message and is opposed to Asymmetric encryption. It is also called private key encryption. Both sender and receiver share the same key for communication. Symmetric encryption does not have PKI (public key infrastructure).
Top Level Domain (TLD):
TLD means Top-level domain (.com, .in, .gov, .edu). For example, if your domain name is mydomain.com then .com is TLD. There are domain registration services available that provide domain name at the suitable price.
Transport Layer Security (TLS):
TLS is a replacement of SSL that provides data integrity, privacy between applications and users. TLS ensures that there will be no third party involvement during the exchange of online information and provides a secure connection between two reliable parties.
Types of SSL certificates:
Many people are confused with different types of SSL and their usage. However, there are mainly three types of certificates, domain validation, business validation, extended validation. There are many other SSL certificates which are categorized by their usage, Wildcard SSL for subdomains security, Multi Domain SSL to secure multiple websites, code signing certificate used to protect software.
UCC SSL Certificate:
UCC SSL certificate is also named SAN SSL certificate as it can secure multiple domains and sub domains under a single certificate.UCC certificate is used for Microsoft® Exchange Server 2007, Exchange Server 2010, and Microsoft Live® Communications Server and compatible with the shared hosting environment.
Vetting process includes checking the background of many things to be performed by reputed certificate authority while issuing an SSL certificate. For example, domain validation only refers to the checking of domain ownership while organization and extended validation include rigorous validation process.
VeriSign is a foremost leader in SSL certificate. From 2010, VeriSign sold its authentication business unit to Symantec. Besides, VeriSign, Inc. deals with country level top domains, managed DNS, DDoS mitigation, and cyber threat reporting services.
Vulnerability in software or network is a weak point that can damage website functionality. It may happen that a website may have several vulnerabilities. To solve this issue, few vulnerability scanners are available that can fix the hole in a website.
Vulnerability assessment detects loophole in a website and fixes critical vulnerabilities. Vulnerability assessment alerts the website owner regarding the former flaws in their code and detects the location of a flaw. Thus, the security of the website is enhanced and customers can securely deal with the website. Symantec SSL certificates come with free vulnerability assessment.
Wildcard SSL Certificate:
Wildcard SSL certificate offers protection for unlimited sub domains with a single asterisk. A website owner can secure unlimited subdomains by adding an asterisk just before your domain name (for example, *.yourdomain.com can secure info.yourdomain.com, example.yourdomain.com). Wildcard SSL certificate is a cost saving certificate that saves money and management time.
WHOIS is a protocol that stores details of registered domain name users and information like domain creation date, expiry date, organization name, address, phone number, etc. The certificate authority can check WHOIS record while issuing the SSL certificate.
X.509 is a specific standard for PKI that manages digital certificates, public key encryption and fundamental part of TLS protocol. An X.509 includes data related to issued certificate like version number, serial number, subject name, public key information, etc. X.509 specifies information and features needed for the identification of a computer system or a person. Moreover, X.509 Certificate is an international standard used to validate Digital Signature.