In today's internet environment, the security of data transmission is of paramount importance. SSL certificates are a fundamental technology for ensuring the security of online communications and building user trust. They establish an encrypted connection between the client (such as a browser) and the server, ensuring that all data transmitted remains private and intact, and preventing it from being eavesdropped on or tampered with by third parties. When a website has a valid SSL certificate installed, its URL begins with “https://”, and a lock icon is displayed in the address bar. This not only indicates security but is also an important factor in the ranking of modern search engines (such as Google). Additionally, it is a mandatory requirement for many modern Web APIs (such as those related to geolocation and Service Workers).
The Core Types of SSL Certificates and How to Choose One
SSL certificates are primarily classified based on the level of verification and the number of domain names they cover. Choosing the right type of certificate is the first step in the deployment process, as it directly affects costs, the security of the website, and the business requirements.
Domain Validation Certificate
A DV (Domain Validation) certificate is an entry-level SSL certificate that only verifies the applicant's ownership of the domain name. The verification process is typically completed automatically via email or DNS resolution records, which is fast and can result in certificate issuance within minutes. DV certificates provide basic encryption capabilities and display a lock icon in the browser address bar.
Recommended Reading A Comprehensive Analysis of SSL Certificates: From Principles and Types to a Complete Guide on Applying for and Installing Them。
It is suitable for personal blogs, testing environments, small demonstration websites, and internal systems, and it comes at a relatively low cost.
Organizational validation type certificate
The verification process for OV (Organizational Validation) certificates is more stringent. In addition to verifying the domain name ownership, the certificate issuing authority also conducts a manual review of the authenticity and legitimacy of the applying company, such as verifying the company’s registration information. The information about the certificate issuer includes the verified name of the company.
OV certificates also display a lock icon in the browser, and when users click on the icon, they can view details about the company. This enhances users' trust in the website, making it suitable for corporate websites, e-commerce platforms, and other commercial websites that need to demonstrate the credibility of the entity behind them.
Extended Validation Certificate
EV (Extended Validation) certificates provide the highest level of verification and trust. Certification Authorities (CAs) conduct the most stringent on-site audits of companies, covering legal, physical, and operational aspects. Once an EV certificate is successfully deployed, in some browsers (such as older versions of Chrome and Edge), the address bar will not only display a lock icon but also show the verified company name in green text.
Although modern browser interfaces are becoming more uniform, reducing the visual differences in the green address bars, the strict review processes behind EV (Extended Validation) certificates make them the industry standard in fields that require a high level of trust, such as law, finance, and large-scale e-commerce.
Recommended Reading A Complete Guide to SSL Certificates: Principles, Types, Installation, and Common Questions Fully Explained。
Multiple domain and wildcard certificates
In addition to the verification level, certificates can also be distinguished based on the number of domains they cover. A single-domain certificate protects only one specific domain (for example, www.example.com). Multi-domain certificates allow multiple completely different domains to be added and protected within a single certificate, which facilitates management. Wildcard certificates, on the other hand, can protect a main domain and all its subdomains at the same level (for example, *.example.com), making them highly efficient and cost-effective for system architectures with a large number of subdomains.
The working principle of an SSL certificate: handshake and encryption
Understanding the working mechanism of the SSL/TLS protocol helps to gain a deeper understanding of its security features. The core of the entire process is the “TLS handshake,” which takes place before the client and server establish an officially encrypted communication channel.
Asymmetric encryption and certificate exchange
At the beginning of the handshake, the client sends a “Client Hello” message to the server, which includes the TLS versions it supports and a list of available encryption suites. The server responds with a “Server Hello”, selecting the encryption parameters that are supported by both parties, and also includes its own SSL certificate.
This certificate contains the server’s public key and has been signed by the private key of a CA (Certificate Authority) institution. Client devices (such as browsers or operating systems) come pre-installed with a list of trusted CA root certificates. They use the corresponding CA public keys to verify whether the server certificate’s signature is valid, whether the certificate is still within its validity period, and whether it matches the domain name being accessed. This process confirms the identity of the server.
Generation of symmetric session keys
After the server authentication is successful, the client generates a random “pre-master key” and encrypts it using the server’s public key before sending it to the server. Only the server, which possesses the corresponding private key, can decrypt this pre-master key. Subsequently, both parties use this pre-master key, along with the random numbers that were exchanged earlier, to independently calculate the same “master key.” This master key will be used to derive the symmetric encryption keys for the current session.
From now on, both parties will use this efficient symmetric session key to encrypt and decrypt all application data transmitted (such as HTTP content). Asymmetric encryption is only used during the initial handshake phase for authentication and key exchange; subsequent communications will switch to the more performant symmetric encryption method.
Recommended Reading Comprehensive Analysis of SSL Certificates: From Principles to Installation, Solve Your Website's Security and Trust Issues in 10 Minutes。
Installation and Deployment Guide for Mainstream Environments
获取SSL证书后(无论是从云服务商、专业CA还是通过Let's Encrypt免费获取),正确的安装和配置是关键。
Certificate installation on the web server
Taking Nginx as an example, the deployment process mainly involves editing the configuration files. It is usually necessary to include the certificate file (such as…)domain.crt) and the private key file (for example)domain.keyUpload the file to the specified directory on the server. Then, make the necessary settings in the Nginx configuration file of the website. The key configuration directives include:ssl_certificateSpecify the path to the certificate file;ssl_certificate_keySpecify the path to the private key file;listen 443 ssl;This instruction indicates that port 443 (used for HTTPS communications) should be monitored. Once the configuration is complete, proceed with the next steps.nginx -tTest the configuration syntax, and then reload the service.
For Apache servers, the principle is similar; you need to use…SSLCertificateFileandSSLCertificateKeyFileThe instructions specify the paths for the certificate and private key in the virtual host configuration, and enable the SSL module.
Automated Deployment and Renewal Management
手动管理证书,尤其是处理续期,容易因遗忘导致证书过期、网站无法访问。自动化工具可以有效解决此问题。Certbot是一款广泛使用的免费自动化工具,它与Let's Encrypt CA配合,可以自动完成域名验证、证书获取、安装和Web服务器配置重载的全过程。
By setting up Crontab scheduled tasks (for example, running twice a month), Certbot automatically checks the validity of certificates and renews them before they expire, achieving a “one-time configuration, permanent validity” approach that requires no maintenance. This significantly enhances the reliability and efficiency of operations and maintenance.
Security checks and optimizations after deployment
After the installation is complete, a comprehensive check is necessary. Visit the website to ensure that HTTPS is functioning properly and that there are no security warnings in the browser. Next, all HTTP requests should be forcibly redirected to HTTPS, which can be achieved by configuring a 301 redirect on the server.
To further enhance security, it is necessary to disable older and insecure versions of the SSL protocol (such as SSLv2 and SSLv3) and configure secure encryption suites, prioritizing the use of TLS 1.2 and later versions. Online tools (such as SSL Labs’ SSL Server Test) can be used to perform a thorough scan and evaluation of the server’s SSL configuration. Based on the report’s recommendations, optimize the configuration by, for example, enabling the HSTS (HTTP Strict Transport Security) policy to prevent SSL stripping attacks.
Certificate Lifecycle Management and Common Issues
SSL certificates are not permanent; they are digital products with a lifecycle that require ongoing maintenance and management.
Application, renewal, and revocation of certificates
The lifecycle of a certificate begins with the generation of a Certificate Signing Request (CSR) and a private key. The private key must be kept absolutely confidential, while the CSR is submitted to a Certificate Authority (CA) for verification and issuance. Certificates typically have a validity period of 1 year (although some corporate certificates may have longer periods); they must be renewed before they expire. The renewal process is essentially a re-application, but the information that has already been verified may be processed more efficiently.
If the private key is compromised or the domain name is no longer in use, you should contact the CA (Certificate Authority) to revoke the certificate. Once revoked, the certificate will be added to the CA’s list of revoked certificates. Browsers will refuse to accept revoked certificates during verification, which is an important part of the security chain.
Mixed Content Issues and Solutions
The most common issue after deploying HTTPS is “mixed content.” This occurs when the main page is loaded via HTTPS, but the resources within it (such as images, scripts, and style sheets) are still loaded via HTTP. Modern browsers block insecure scripts and styles by default, which can cause the page to malfunction or display warnings for insecure images.
The solution is to use a relative protocol (such as…)//example.com/resource.js) or hard-code all resource links ashttps://The developer tools console and security panel of the browser will clearly display warnings about mixed content, which are the main methods for troubleshooting this issue.
Multi-server and load balancing configuration
In a distributed architecture, the same certificate may need to be installed on multiple web servers or load balancers. The key task at this point is to securely distribute the private key and the certificate file to all the nodes that require them, and to ensure that the configuration of each server is correct. Some cloud load balancers (such as AWS ALB and Alibaba Cloud SLB) support terminating SSL connections at the load balancing layer, with the backend servers handling only HTTP traffic. This approach simplifies the certificate management for the backend servers and allows the computational load of decryption to be offloaded to the load balancer.
summarize
SSL certificates are a core technical component for implementing HTTPS encryption, ensuring data security, and establishing the credibility of websites. The process involves selecting the appropriate type of certificate (DV, OV, EV) based on business requirements, understanding the principles of how asymmetric and symmetric encryption work together, as well as correctly installing, automating the deployment, and optimizing the security of SSL certificates in various mainstream server environments. Effective certificate lifecycle management and the ability to anticipate and address common issues, such as those related to mixed content, are crucial for maintaining the effectiveness of security measures. In an era where network security is receiving increasing attention, a thorough understanding and proper application of SSL certificates are essential skills for every website developer, operations personnel, and manager.
FAQ Frequently Asked Questions
Are SSL certificates and TLS certificates the same thing?
Yes, what we usually refer to as an SSL certificate actually means a certificate based on the TLS protocol. SSL was the predecessor of TLS, and due to historical reasons, the term “SSL certificate” is still widely used. However, all modern browsers and servers currently use the more secure and up-to-date TLS protocol.
免费的SSL证书(如Let‘s Encrypt)和付费证书有什么区别?
The main differences lie in the verification methods, features, support services, and validity periods. Free DV (Domain Validation) certificates typically only verify the domain name, are issued automatically, have a validity period of 90 days, and require frequent automatic renewals. Paid certificates, on the other hand, offer higher levels of verification (such as OV or EV), come with higher warranty compensation amounts and technical support services, and may also support multiple domains or wildcards. There is no difference in the encryption strength provided by the technologies used in both types of certificates.
Why does my website still display “Unsecure” even though an SSL certificate has been installed?
This issue is usually caused by “mixed content.” Please check whether the website page is referencing resources that use the HTTP protocol (such as images, JavaScript files, or CSS files). Simply change the reference addresses of all these resources to HTTPS or use the relative protocol to resolve the problem. Additionally, make sure that the certificate is properly installed and not expired, and that it matches the domain name being accessed exactly.
Can wildcard certificates protect all subdomains?
Wildcard certificates (such as *.example.com) can protect all subdomains at the same level, such as blog.example.com and shop.example.com. However, they cannot protect subdomains with multiple levels of hierarchy, such as dev.aws.example.com (which requires a certificate with the format *.*.example.com, and this is generally not supported by standard CA authorities). For such use cases, you may need to consider using a multi-domain wildcard certificate or apply for separate certificates for each subdomain.
How to choose a brand for an SSL certificate?
When selecting a CA (Certificate Authority) brand, compatibility, reliability, and services should be the main considerations. The root certificates of major global CAs are already built into all operating systems and browsers, ensuring wide compatibility. Choosing a CA with a good reputation ensures the rigor of the verification process. Additionally, make a comprehensive assessment based on factors such as whether Chinese customer support is required, specific insurance coverage terms, and issuance speed, to select the brand that best suits your business needs.
What's next, what's next?
Extended reading and practical knowledge
The following are related to the topic of this article and are suitable for further in-depth reading. Prioritize starting with the article that is closest to your current problem, and gradually expanding to surrounding topics usually works better.
- What is an SSL certificate? A comprehensive explanation from its principles to the process of applying for and using it.
- What is an SSL certificate? A comprehensive guide to understanding the principles, types, and installation procedures of digital certificates.
- In-depth Analysis of SSL Certificates: From Beginner to Expert – Comprehensive Protection for Website Security
- What is an SSL certificate and how does it work
- Comprehensive Guide to SSL Certificates: From Principles and Types to Practical Details on Deployment and Management