By Paessler Editorial Team • Jul 11, 2017

"Where Can I Obtain My SSL Certificate?" and 5 Other Questions You Need to Know the Answer to

Encryption of the data traffic between your server and website visitors' computers has many benefits. Encryption creates security.  Encryption builds trust. Encryption helps with search engine optimization (SEO) - and there are many more advantages as well. At this point, the question arises as to where I can obtain my SSL Certificate so that website visitors know that their data is indeed securely encrypted - and so that the browser doesn't send a warning.

What Does Encryption With SSL/TSL Mean?

Encryption of data connections allows you to protect your visitors against 'man in the middle' attacks. This is because unencrypted connections are 'straightforward' for third parties to view. Credit card details, passwords, and private messages can be downloaded or even manipulated. A connection's encryption status is shown by HTTPS instead of HTTP at the start of the URL. An SSL certificate demonstrates trustworthiness.

What is an SSL certificate?ssl-certificate-security.png

Basic SSL Certificates guarantee that the domain belongs to the person who claims to be the owner. Extended certificates validate additional business data for signs of abuse. The SSL Certificate is stored on a server, downloaded by the browser when a website secured via HTTPS is visited, and compared to a 'whitelist' belonging to a trusted issuer, the 'Certificate Authority' or 'CA'. If the connection is successful, this is shown in the address bar, e.g., via a closed padlock or a green traffic light icon. The visitor can click to receive more information if desired. 

Where Can I Get my Certificate? And What Does it Cost?

For a long time, it was only possible to obtain an SSL Certificate from an official Certificate Authority/CA. This came with a price tag. Since then, hosting providers also issue certificates, while 'Let's Encrypt' offers a free alternative to basic certificates. This caused prices to fall elsewhere, so that SSL Certificates are now affordable for small and medium-sized enterprises, while Self Signed Certificates provide another route to certification.

a) Certificate Authority (CA)

The CA verifies your identity and warrants the accuracy of the details for the validity period of the certificate. In order to ensure that browser and operating system suppliers can trust the Certificate Authorities, an annual audit takes place. In Europe, this is undertaken by the European Telecommunications Standards Institute (ETSI) Institut für Telekommunikationsnormen (ETSI), which was founded in 1988 by the European Commission. Around three-quarters of the market for SSL Certificates is served by the three largest suppliers: Comodo, Symantec, and GoDaddy.

b) Automatic certification via 'Let's Encrypt!'

At the end of 2014, a number of different businesses and NGOs came together to create a free certification program, including the Electronic Frontier Foundation, Mozilla, Cisco and Akamai in the form of "Let's Encrypt". It provides automatic, basic certification for domain holders, known as Domain Validation. Let's Encrypt's goal is to simplify the previously manual process via automation in order to encourage the widespread adoption of HTTPS encryption.

c) From your hosting provider

As well as obtaining your Certificate from the issuer directly, it is now possible to obtain it from many hosting providers (for example, as a customer), or purchase certificates in a bundle with web space and a domain.

d) Make your own certificate: Self-signed Certificates

Self-signed certificates represent a further alternative. Linux allows you to act as your own CA with the help of OpenSSL, but naturally, you wouldn't appear on any 'whitelists'. In contrast to official Cas, the browser issues a warning that the CA is unknown. Naturally, users can choose to accept the certificate nevertheless. However, the user's trust in the certificate is only as good as his or her trust in the issuer itself, as the values can change at any time. One benefit is greater configurability in relation to key length, data content, or metadata. In addition, there's no need to involve any third parties. Possible uses include websites, companies' internal platforms, and in monitoring or test environments.

Which Certification Do I Need?

There are three kinds of SSL Certificates, which differ in the extent to which they validate identity:

Basic protection with domain validation (DV) ssl-certificate-dv.png

This is the simplest version with the lowest degree of identity validation. The CA only validates whether you should actually have access to the domain. As such, there remains a certain degree of risk - but, on the other hand, it's quick and cost-effective - and even free and automatic with 'Let's Encrypt'. DV certificates are appropriate for low-risk, low-tech websites.

Moderate protection with organizational or domain holder validation (OV) ssl-certificate-ov.png

In addition to domain ownership, the CA checks for the presence of a set of relevant business-related information, such as a corporate registration. Website visitors can also view this information, which enhances trustworthiness. The process requires more resources, takes longer, and costs more. Nonetheless, it's more secure and increases visitors' trust levels. This certificate is appropriate for important, but not highly sensitive data.

Top protection with extended validation (EV) ssl-certificate-ev.png

This certificate features even more thorough validation of business information and security is more prominently on display. The issue of EV certificates is subject to strict issuing criteria: Certificate Authorities who wish to issue an EV certificate need to undergo an audit of their own. EV, therefore, occupies a premium positioning among SSL certificates. Naturally, audits come at a price and take longer to complete. However, the certificate creates the highest levels of trust among visitors and potential customers. If sensitive data such as credit card details are being transferred, EV is the certificate of choice.

QUESTION: HOW MANY PAGES SHOULD BE SECURED?

There are three different types of certificate available:

  • Individual certificates for a secure domain;
  • Multi-domain certificates; and
  • Wildcard certificates for a secure domain with a wide range of dynamic sub-domains.

You must consider which pages you wish to certify and the degree of security to be displayed to visitors. Is simple domain validation up to the job? Or, do potential customers demand a higher degree of trust before transmitting their personal data? As such, visitors are more sensitive during the order process than they are when viewing an 'About us' page. As a compromise, you could use strong certification for a secure domain while using free individual certificates for others.

How do I Install an SSL Certificate?

The SSL Certificate is installed on the server. Installation varies depending on the issuer, and many hosting providers will handle the entire service. As a rule, providers or certificate issuers provide the necessary instructions.

What Do I Need To Watch Out For When Configuring HTTPS And SSL Certificates?

There are lots of details that you can and should take into consideration. Some core aspects:

  • Use appropriate, unexpired certificates: otherwise, the page will be shown as unsecured.
  • A high standard of security is offered by 2,048-bit encryption. If you are still using 1024-bit encryption, an upgrade is recommended.
  • Pay attention to appropriate server configurations: e.g., if the certificate is issued for 'www.mywebsite.de' then the website should not be configured as 'mywebsite.de.' ssl-certificate-approved.png                                                                 
  • Be consistent! Only integrate HTTPS elements into HTTPS pages: otherwise, an error report will be shown, which could give visitors cause for concern. HTTP and HTTPS pages should have consistent content.
  • Google treats the switch from HTTP to HTTPS in the same way as a move from www.abc.de to www.xyz.de. All steps taken to avoid sliding down the rankings apply here as well.
  • Create a list of the admin and SEO processes that are needed, from adapting the sitemap through to adapting major backlinks by contacting the relevant external site admins.
  • Google has created an HTTPS migration FAQ, where you can find more tips for making the switch and using HTTPS.