What is an SSL/TLS certificate?
An SSL certificate, more accurately referred to as a TLS certificate, is a digital certificate used to establish an encrypted connection between a client (such as a browser) and a server (such as a website). Its primary function is to implement the HTTPS protocol, ensuring that all data transmitted between the two parties is encrypted, thereby preventing eavesdropping or tampering.
When a user visits a website that has a valid SSL certificate deployed, the browser initiates a “handshake” process with the server. During this process, the server presents its SSL certificate to the browser. The browser then verifies whether the certificate was issued by a trusted certificate authority, whether the certificate is still valid, and whether the domain name in the certificate matches the domain name of the website being visited. If the verification is successful, a secure encrypted communication channel is established between the browser and the server.
Recommended Reading What is SSL Certificate? Principle, type and installation configuration full analysis。
The indicator of an encrypted link is the lock icon that appears in the browser’s address bar, as well as the URL that starts with “https://”. This clearly signals to users that their connection to the website is private and secure. In addition to encryption, the SSL certificate also provides authentication, helping users confirm that they are communicating with the actual, intended server, rather than a phishing website that is trying to impersonate it.
The main types of SSL certificates
Based on the level of verification and the number of domains covered, SSL certificates are mainly classified into the following categories to meet the security requirements of different scenarios.
Domain Validation Certificate
Domain Name Validation (DV) certificates are the fastest-to-obtain and lowest-cost type of SSL certificate. The certificate authority simply verifies the applicant’s ownership of the domain name, typically by sending a verification email to the email address registered for that domain or by requiring the creation of specific DNS records. DV certificates are ideal for personal websites, blogs, testing environments, or internal systems that do not need to strongly demonstrate the identity of the organization to users. They provide basic encryption capabilities, but the browser address bar will only display a lock icon, without showing the company name.
Recommended Reading SSL certificates in detail: from the type of choice to the Nginx server installation and configuration of the whole guide。
Organizational validation type certificate
Organizational Validation (OV) certificates offer a higher level of trust than Domain Validation (DV) certificates. In addition to verifying the ownership of a domain name, the Certificate Authority (CA) also confirms the actual existence of the applying organization, for example by checking the company’s registration information with the relevant authorities. As a result, the issuance of an OV certificate takes several working days. Once an OV certificate is deployed, users can click on the lock icon in the browser address bar to view the certificate details, which include the verified name of the company. OV certificates are suitable for use on corporate websites, e-commerce platforms, and other scenarios where a credible identity needs to be demonstrated.
Extended Validation Certificate
Extended Validation (EV) certificates represent the highest level of security and trust among SSL certificates. The Certification Authority (CA) conducts the most comprehensive reviews of the organizations applying for these certificates, examining their legal, physical, and operational existence. Websites that have obtained an EV certificate will display a green address bar in most major browsers, along with the verified name of the company. This provides a clear and intuitive indication of trust for industries with stringent security and reliability requirements, such as finance, payments, and large e-commerce platforms. However, as browser user interfaces have evolved, some browsers no longer prominently display the green address bar. Nevertheless, the strict validation standards for EV certificates remain in place.
Multiple domain and wildcard certificates
In addition to being classified by validation level, SSL certificates can also be categorized based on the number of domains they cover. Single-domain certificates protect only one fully qualified domain name (for example, `www.example.com` or `example.com`). Multi-domain certificates allow multiple different domain names to be added and protected within a single certificate (for example, `example.com`, `example.net`, `shop.example.org`). Wildcard certificates are used to protect a primary domain name and all its subdomains at the same level; for instance, `*.example.com` can protect `blog.example.com`, `mail.example.com`, `pay.example.com`, etc., providing significant management convenience and cost-effectiveness for organizations with a large number of subdomains.
Recommended Reading What is an SSL Certificate? A complete guide from principle to purchase and installation。
How to Choose and Purchase an SSL Certificate
When faced with a wide variety of SSL certificates, making the right choice requires considering factors such as the nature of the website, security requirements, and budget.
First, determine the type of your website. For personal projects, information-sharing blogs, or test servers, domain-name validated certificates are usually sufficient. If your website requires user login, data transmission, or basic e-commerce functionality, organizationally validated certificates can provide a higher level of trust. For websites that handle banking, securities, large online payment platforms, or any other type of service that deals with highly sensitive information, extended validation certificates are the best choice, as they can significantly enhance user confidence.
Secondly, consider the need for domain name coverage. If there is only one main domain name, a single-domain certificate is sufficient. If you need to protect multiple completely unrelated domain names, a multi-domain certificate is recommended. If you have a main domain name along with a large number of dynamic subdomains (for example, a SaaS platform that provides personalized subdomains for customers), a wildcard certificate is the most cost-effective solution.
Regarding the purchase channels, certificates can be directly purchased from globally renowned CA organizations (such as DigiCert, Sectigo, GlobalSign) or their authorized resellers. The flexibility of prices, after-sales services, and support are important factors to consider when choosing a reseller. It is also essential to pay attention to the validity period of the certificate during the purchase process. The current industry standard for the maximum validity period is 13 months; the certificate must be renewed or re-applied for before it expires.
Recommended Reading SSL Certificate Explained: From principle to deployment, comprehensive protection of website security。
SSL Certificate Installation and Deployment Process
After successfully purchasing a certificate, the correct installation and deployment are crucial to ensure that the secure connection is effective. This process mainly consists of three steps: generating a CSR (Certificate Signing Request), submitting it for verification, and installing the certificate.
Generate a certificate signing request
The Certificate Signing Request (CSR) is the first step in the certificate installation process and must be generated on your server. A CSR is an encrypted text file that contains your public key as well as information about your website’s identity (such as the domain name, organization name, and location). When you generate a CSR, your server automatically creates a matching pair of private and public keys. The private key must be stored securely on your server and never disclosed, as it is the only key used to decrypt the data being transmitted. The public key part of the CSR file is then submitted to the Certificate Authority (CA).
Submit the verification and obtain the certificate
Submit the generated CSR (Certificate Signing Request) file to the certificate authority (CA) from which you purchased the certificate. Depending on the type of certificate you purchased (DV, OV, or EV), the CA will initiate the verification process at the corresponding level. For DV certificates, the verification may be completed within a few minutes; for OV/EV certificates, it may take several days. Once the verification is successful, the CA will provide you with the issued SSL certificate file (usually in `.crt` or `.pem` format) as well as any intermediate certificate chain files, either via email or through the control panel.
Install the certificate on the server
The final step is to install the obtained certificate file on your web server software (such as Apache, Nginx, IIS, etc.). This process typically involves uploading the certificate file, the private key file, and the certificate chain file provided by the CA to a specific directory on the server, and then specifying the paths to these files in the server configuration files. Once the configuration is complete, restart the web service to apply the changes.
After the deployment is complete, be sure to use an online SSL inspection tool (such as SSL Labs’ SSL Test) to conduct a thorough check of your website. This tool will evaluate whether the certificate is correctly installed, whether the configuration is secure (for example, whether it supports outdated protocols or weak cipher suites), and provide a score along with recommendations for improvements. Regular maintenance, including renewing the certificate in a timely manner before it expires, is also crucial for maintaining continuous security.
summarize
SSL certificates have evolved from an optional security enhancement to a fundamental component for building trustworthy and compliant modern websites. They protect data privacy through encryption and prevent online fraud through authentication, making them a necessary requirement for enabling the HTTPS protocol. Understanding the differences between domain name validation, organization validation, and extended validation certificates can help you make an informed choice based on the actual needs of your website. Mastering the entire process—from generating a CSR (Certificate Signing Request) to completing the installation and deployment on the server—is an essential skill for every website administrator. Proper deployment and maintenance of SSL certificates not only safeguard users’ data security but also significantly enhance a website’s professional image and search engine rankings.
FAQ Frequently Asked Questions
What are the differences in the way DV, OV, and EV certificates are displayed in browsers?
DV (Domain Validation) certificates typically only display a lock icon and the HTTPS symbol in the browser address bar. OV (Organization Validation) certificates show the name of the verified organization in the details of the lock icon. EV (Extended Validation) certificates used to display the company’s name in green directly in the address bar; although modern browser interfaces have simplified this display, the certificate details still contain the highest level of organization validation information. EV certificates are widely used by industries with high security requirements, such as financial institutions.
Can one SSL certificate be used on multiple servers?
Yes, it depends on the authorization granted by the certificate. Most SSL certificates allow the same protected domain name to be installed and used on multiple servers within the same organization, such as front-end web servers and load balancers. However, it is important to note that the server private key must be shared securely between these servers or configured separately. It is essential to follow best security practices to prevent the private key from being leaked.
Why does my website still display as “unsecure” even though an SSL certificate has been installed?
There are several possible reasons for this warning. The most common one is that the web page mixes HTTP and HTTPS resources (for example, images, scripts, or style sheets are loaded from HTTP links), which is known as the “mixed content” issue. In this case, the browser considers the page to be insecure. Other possible causes include an expired certificate, a mismatch between the certificate’s domain name and the domain name being visited, an incomplete certificate chain, or incorrect server configuration that results in the use of an insecure protocol (such as SSL 2.0/3.0).
What happens when an SSL certificate expires?
Once an SSL certificate expires, the browser will display a clear “unsafe” warning to visitors, and may even prevent them from continuing to access the website. This can lead to a significant decline in the user experience, a loss of trust, and potentially a serious impact on website traffic and business operations. Therefore, it is essential to establish a process for monitoring and renewing SSL certificates. It is recommended to renew the certificate at least 30 days before it expires.
Can wildcard certificates protect multiple levels of subdomains?
A standard wildcard certificate (`*.example.com`) can only protect first-level subdomains, such as `blog.example.com` or `shop.example.com`. It cannot protect multiple-level subdomains, such as `dev.www.example.com` (which is a two-level subdomain). To protect multiple-level subdomains, you need to apply for a wildcard certificate specific to that level (e.g., `*.www.example.com`) or apply for separate certificates for each individual domain name.
What's next, what's next?
Extended reading and practical knowledge
The following are related to the topic of this article and are suitable for further in-depth reading. Prioritize starting with the article that is closest to your current problem, and gradually expanding to surrounding topics usually works better.
- What is an SSL certificate? A comprehensive explanation from its principles to the process of applying for and using it.
- What is an SSL certificate? A comprehensive guide to understanding the principles, types, and installation procedures of digital certificates.
- In-depth Analysis of SSL Certificates: From Beginner to Expert – Comprehensive Protection for Website Security
- What is an SSL certificate and how does it work
- Comprehensive Guide to SSL Certificates: From Principles and Types to Practical Details on Deployment and Management