SSL: Secure Sockets Layer is a way to enforce secured communication between browser (that is users browsing site) and site (or web server). This helps in preventing a hacker to sneak in and decode the exchange of data. Earlier most of the e-commerce sites or sites that used to store sensitive information (like emails etc) were SSL enabled but now all sites are expected to have SSL enabled. Any site which has https:// is SSL enabled.
SSL is the predecessor to TLS. TLS was introduced in 1999. Vendors often use “SL/TLS Certificate”. TLS has better encryption.
https: Hyper Text Transfer Protocol Secure
Almost all major browsers now flag sites that are not secured. Most users will probably leave the site if they see the warning sign.
Types of SSL Certificate
DV – Domain Validated – Easiest to get, just domain validation is required. Most small sites fall in this category.
OV – Organization Validated – Requires organizational validation. Small businesses/any e-commerce site should at least get this certificate.
EV – Extended Validation – Requires more documentation from the vendor to provide a certificate (most trusted certificate and most expensive). A certificate provider might take a few days before issuing it.
Single website – Cheaper
Single site + subdomains – more expensive
Wildcard SSL – Can be used for multiple websites. This type of certificate is the most expensive.
Types of encryption (RSA ECC etc), liability protection might vary with SSL certificate providers.
Cost of SSL Certificates (from known providers like Verisign, GoDaddy, Comodo, Geotrust, Digicert, Network Solutions, Thawte ) might vary from ~$50 to several hundred dollars per year (depending on the type of certificate, algorithms, liability etc).
Some providers grant SSL certificate for 30-90 days.
How does SSL work
Step 1: User types in a https://URL into browser and Server sends a copy of the public key/SSL/TLS certificate to the user.
Step 2: User’s browser checks the certificate root against trusted CAs, validity etc and then the user’s browser uses the public key and creates a unique session key (which will be used to encrypt data) that is encrypted using the server’s public key and sends back to the server.
Step 3: Server decrypts the session key using a private key (remember the only server can decrypt it as you need the private key to decrypt it)
Step 4: Secure communication can happen because only sever and the client is aware of the session key.
As you can see SSL introduces more work to be performed by the server (encryption/decryption) hence it has an impact on the performance (speed of interacting with the server).
How to Check Certificate in Linux
openssl x509 -in bitarray.crt -text -noout
bitarray.crt: Is certificate file (provided by SSL vendor)
What is X.509? It is a standard which defines the format of public key certificates.
You can see all the information provided by the above command, it provides the certificate expiration date, encryption algorithm, issuer details etc
How to get certificate of a website using CLI/openssl?
$ openssl s_client -connect bitarray.io:443 CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = bitarray.io verify return:1 --- Certificate chain 0 s:/CN=bitarray.io i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 ... ...
How to create SSL Certificate?
Creating SSL certificate for a website is a straightforward process.
- Select a vendor that suits your needs
- Select type of certificate (single site, do you need for subdomains etc?, OV, EV etc)
- Generate csr file and private key file on your webserver
- Fill out the information and wait for verification process (which will require uploading csr file)
- Once verification is done you will get crt file (certificate file) and bundle file from the vendor
- Put the files in your web server if you have ssh access to your server (some hosting providers might have a way to upload files).
- You will have to make config changes in the server as below (for apache) and server restart is required. Make sure to change all internal URLs from http to https!
You will need to add a virtual host section on port 443 (this is in addition to virtualHost section on port 80)
SSLCertificateFile Path of certificate file
SSLCertificate Key File Path of Private key file
SSLCACertificateFile Path of certificate bundle file
That’s what you will add in apache configs.
<VirtualHost *:443> DocumentRoot /var/www/html/ ServerName www.bitarray.io SSLEngine on SSLCertificateFile /etc/httpd/conf/bitarray.crt SSLCertificateKeyFile /etc/httpd/conf/bitarray.key SSLCACertificateFile /etc/httpd/conf/bitarraybundle.crt </VirtualHost>
for subdomains you will be creating a similar entry (assuming if your certificate is valid for subdomains):
<VirtualHost *:443> DocumentRoot /var/www/html/subdomain ServerName subdomain.bitarray.io SSLEngine on SSLCertificateFile /etc/httpd/conf/bitarray.crt SSLCertificateKeyFile /etc/httpd/conf/bitarray.key SSLCACertificateFile /etc/httpd/conf/bitarraybundle.crt </VirtualHost>
HTTPS as an SEO signal
Google has confirmed in the past that https:// (or SSL) is an important factor and is a ranking signal. I will highly recommend converting your website/blog to a secured site.
- Remember to change all internal links to https
- It’s a good practice to use relative links to avoid changing URLs/domain name etc
- any image within a webpage using HTTP instead of HTTPS might get flagged as insecure in the browser.
- It’s good practice to forward all your HTTP requests to https (for SEO purposes)
- Cloud providers like AWS provide a certificate manager so you can upload the certificate and use it with Cloudfront.
How to get a Free SSL Certificate?
https://letsencrypt.org/ provides absolutely free SSL certificate with is supported by almost all browsers (Note: Let’s Encrypt is a global Certificate Authority (CA)). If you have shell access to your machine you can automate the procedure of downloading the certificate (cron job!). Setting the automatic process is simple (just download cert-bot).