A Guide To Securing Your Website Using SSL Certificates

When it comes to securing your website, there is a full range of SSL products available. SSL is an acronym for Secure Sockets Layer, what it does is to protect the transfer of data from a user's web browser to the website's server.

While SSL can secure a website's connection for its users, it can also boost the website's ranking. For these reasons, there are many web owners and webmasters that explore the possibilities, hoping to get the best for what they pay for.

However, SSL and the process to set one up can be overwhelming. And since SSL providers offer add-ons to choose from, comparing one to others can be difficult.

In this article, you should be able to answer the following questions:

  • What is an SSL certificate?
  • What type of SSL certificate should I use?
  • Should I use a free certificate or a paid one?
  • Which certificate is best for securing a subdomain? Multiple domains?
  • What warranty coverage to I need?
  • How do I troubleshoot common problems?

SSL is a security method in web communication protocol which allows the encryption of data when being transferred over a server. SSL certificates are to protect the transfer of sensitive and personal information such as usernames, passwords and others.

Usually, data between a browser and a web server is sent as plain text. This leaves the user vulnerable to hackers. SSL certificates utilize a public and a private key, which work together to establish an encrypted connection. This way, data is encrypted before being sent, to then be decrypted when it arrives.

Certificate Types

SSL certificate types

Among several types of SSL certificates, there are three common ones. Choosing the best one for you will be based on the level of security your website requires.

Domain-validated certificate

Also known as a low assurance certificate. This is the standard type of certificate issued. To use it, an automated validation ensures that the domain name is registered and that an administrator approves the request.

In order for the validation to be completed, the webmaster must provide documentation for verification. After that the validation can be confirmed via email or by configuring the website's DNS record.

Because this type is the most standard, its usage is only recommended for internal systems only. Processing time requires only a few minutes to a few hours.

Organization-validated certificate

Higher up is the organization-validated certificate, or also known as high assurance certificate. To use this SSL certificate, it requires real agents to validate the domain ownership, organization information such as name, city, state and country. Just like domain-validated certificates, the webmaster also needs to provide documentation for verification.

This type of certificate is recommended for businesses and companies. Processing times varies from a few hours to a few days.

EV certificate

Also called extended validation certificate, this is a newer type of certificate that requires the most tedious and vigorous process. To use this type of certificate, webmasters are required to ensure that their business is legal. It also requires business information as a proof of domain ownership.

This type of certificate is the most secured to obtain because Standard SSL certificates don't require a legitimate or verified business.

To differentiate EV certificates from others, its exclusive feature is providing a green padlock on visitors' web browser. This will ensure consumers, giving them confidence that information transaction on that web page are secured.

Because it's regarded as the extended validation certificate, it also requires the most processing time. From a few days to a few weeks. Because it's also regarded as the most secured, it's required for e-commerce businesses.

Purchasing Your SSL Certificate

HTTPS

There are a lot of SSL providers to choose from. From free to paid.

If you want free certificate, your website will be shown as secured with a self-signed. Most web browsers don't see this type of certificate as a legitimate one, and will post an error message.

To proceed, visitors need to click on the "I understand the risks". While this won't matter to at least a few people, most people tend to avoid such websites and will click on the "Get me out of here!" button to never return.

While that only is already a problem, the real threat lies in the fact that those "free" self-signed certificates are virtually unregulated. What this means, if your website is hacked, it may still appear secure. On the other hand, certificates that are issued by trusted certificate providers, can revoke access and alert the user of any potential threats.

So if your choice lies on verified and trusted certificates, big names in the business include GeoTrust, Symantec (previously Verisign), DigiCert and others. You can also get your certificates from third-party resellers which offer the same protection, sometimes at a discounted price.

Whatever their price can be, they vary significantly based on the amount of warranty coverage they offer. What you should understand is that the warranty here only applies to end users, not you.

What this means, if a visitor suffers monetary loss after making a transaction on your website that apparently went fraudulent, the certificate authority is to blame. This is because it has failed to alert a warning and failed to protect the consumer. In this situation, the warranty value will be paid out the consumer, if the amount being disputed is less than the warranty itself.

A relief to consumers means a relief to the webmaster. However, this is often the strategy made by SSL providers to make the price of the certificate more expensive. This is because this occasion rarely or never happens.

Securing Multiple Domains And Subdomains

Webmaster may operate more than just one website. And each of them may even have subdomains. A single-name SSL certificate can protect a single domain whereas wildcard certificates allow them to secure an unlimited number of subdomains.

Multi-domain certificates can protect 210+ different domains with a single certificate. However, this depends on the provider.

Troubleshooting Problems

SSL error

When SSL certificate is up and running, it should protect your website 24/7. But there are times which errors can invalidate your SSL certificate. Below is a list of some common problems and their solutions:

  • Serving mixed content: When a website is using both HTTP and HTTPS content, this invalidate the certificate since all content must be loaded from a secure source. This usually happens with plugins, images and JavaScripts.
  • Certificate name mismatch error: This usually happens as a results from requesting an SSL certificate for what is assumed your domain name, but doesn't match the actual domain. For example, a certificate that uses the prefix "www" but your website is loading "non-www version."
  • Missing intermediate certificate: Different server types require different number of intermediate chain certificates. Some servers require one while others require two.
  • Expired certificate: Usually a result when a certificate is outdated. Most certificates can be renewed as early as 90 days before they expire.
  • Certificate viewed is not the one installed: This happens because only one certificate can be installed on both the same IP and socket number. Only the first one installed will be recognized.

Further reading: When "S" Stands For Secure, Web Encryption Still Has Drawbacks For Average Users