SSL certificates are trusted credentials issued by well-known certificate authorities (CAs) that are certified by WebTrust. You can use SSL certificates to authenticate visitors to your website and encrypt data in transmission. SSL is a security protocol. SSL certificates provide an encryption mechanism for application data transmission on a TCP/IP network. The applications include HTTP, Telnet, and FTP. SSL uses public keys to encrypt data transmitted over TCP/IP connections, ensure message integrity, and authenticate servers and clients. Client authentication is optional.
Implementation
SSL certificate-based encryption
SSL implements secure communication based on a hybrid mechanism of asymmetric encryption for authentication and symmetric encryption for data transmission. The core process consists of two phases: certificate generation and verification and construction of an encrypted session.
Certificate generation and verification
When a server applies for a certificate from the CA, the server first generates a 2048-bit Rivest-Shamir-Adleman (RSA)-based or 256-bit elliptic curve cryptography (ECC)-based key pair. Then, the server packages the required information, including the public key, domain name, and enterprise information, into a certificate signing request (CSR).
After the CA approves the domain name ownership verification that uses the Domain Name System (DNS) verification or file verification method, the CA uses its own private key to digitally sign the server public key and generates a standard certificate. The signature helps generate a chain of trust in the following structure: root certificate, intermediate certificate, and server certificate. The browser verifies all certificates in the structure to prevent forgery.
Construction of an encrypted session
In a TLS handshake process, the client sends a ClientHello message to start the handshake process. The message includes the supported cipher suites and random numbers.
The server responds with a ServerHello message, selects cipher suites, and sends its certificate chain.
The client checks the validity of the certificate, including the domain name, validity period, and revocation status such as Online Certificate Status Protocol (OCSP).
The client generates a pre-master key, encrypts it with the public key of the server, and sends it to the server.
The client and server use the pre-master key and their random numbers to derive the session key through a key exchange mechanism, such as Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) or Diffie-Hellman Ephemeral (DHE).
Subsequent communications use symmetric encryption algorithms, such as Advanced Encryption Standard (AES), to improve performance and reduce computing overhead.
An SSL certificate uses a key pair and an algorithm such as RSA, ECC, or SM to encrypt and decrypt data. For more information, see Certificate encryption algorithm and What are public and private keys?
Scenarios and usage
A website that does not use an SSL certificate is not protected. All transmission data is in plaintext, and attackers can easily intercept sensitive information such as user passwords and bank card numbers through methods such as public Wi-Fi and network sniffing. For example, man-in-the-middle attack (MITM) attacks are launched against the e-commerce payment pages of an enterprise, resulting in theft of funds. The browser marks such websites as unsecure, which directly causes traffic loss. In addition, unencrypted communications may violate multiple global regulations, and the involved enterprises may face high fines and lose compliance qualifications in industries such as finance and healthcare.
If an SSL certificate is deployed, the secure channel built by the hybrid encryption mechanism is very difficult and time-consuming to crack even if data is intercepted, which requires a large amount of computing resources and time. After an SSL certificate is deployed, a lock icon is displayed in the address bar of your browser. If you deploy an extended validation (EV) certificate, the name of your enterprise is displayed in the address bar. This significantly improves user trust and the trust of the website. Legally, an SSL certificate meets the requirements of more than 20 international certifications, including Multi-Level Protection Scheme (MLPS) 2.0 and PCI-DSS. This avoids legal risks.
Procedure
Purchase
Alibaba Cloud supports domain validated (DV), organization validated (OV), and EV certificates. Alibaba Cloud also supports multiple trusted CAs, including DigiCert, GlobalSign, and GeoTrust. The CAs provide various types of certificates, including single-domain, wildcard, and multi-domain certificates. You can select a certificate brand and type based on your website security requirements. For more information about how to purchase certificates, see Purchase an official certificate.
Creation and application
The certificate application process consists of the following steps: creation, application, and domain name ownership verification.
Creation
After you purchase an official certificate, you need to bind a domain name to it. If you already bind a domain name when you purchase the certificate, skip this step. For more information, see Create a certificate.
Application
You must enter the required information based on the certificate type and submit the information to the CA for review. The required information includes the domain name or IP address that you want to bind to the certificate, the verification method of domain name ownership, the contact information of the certificate, and the business license of your company. For more information, see Apply for a certificate.
Domain name ownership verification
Before the CA issues the certificate for your website, you must cooperate with the CA to verify that you own or can manage the domain name bound to the certificate. For more information, see Domain name ownership verification.
Deployment
After a certificate is issued, you can deploy it to the server of your website to ensure HTTPS access to the website. The deployment process varies based on the server type and the hosting environment. Supported servers include Apache, NGINX, and IIS servers. For more information, see Deploy an SSL certificate.
Subsequent operations
Renewal
When a certificate is about to expire, you can renew it to obtain a new certificate and install the new certificate on the server of your website to ensure continuous encryption and security for the website. In most cases, a certificate is valid for up to 397 days, approximately 13 months. If you do not renew a certificate after it expires, security issues may occur and security alerts may be generated on browsers. This compromises user trust and experience. For more information, see Renew an official SSL certificate.
Revocation
If you no longer want to use a certificate due to security or other reasons, you can revoke it. After a certificate is revoked from the CA, you can no longer use the certificate for secure communications. For more information, see Revoke and delete a certificate.
Certificate brands and types
You can purchase SSL certificates of multiple brands and types from Alibaba Cloud Certificate Management Service. When you purchase a certificate, you must consider factors such as the deployment scenario, certificate type, security level, and price. For more information, see Select an SSL certificate.
Certificate types
Alibaba Cloud supports DV, OV, and EV certificates. Different types of certificates provide different levels of security, support different certificate brands, and are suitable for different types of websites.
Certificate type | Applicable website | Credibility level | Authentication strength | Security level | Verification method and required material | Time required for certificate issuance | Available certificate brand |
DV | Personal websites that are used for app services, information display, enterprise testing, or personal testing. Note If your website is owned by an individual who does not have an enterprise business license, you can apply for only DV certificates. | Moderate | CAs verify the authenticity of a website, instead of an enterprise. | Moderate | DNS verification. You need to only specify a domain name. | 1 to 2 business days in most cases, 10 minutes at least |
|
OV | Websites for public service sectors, small- and medium-sized enterprises, and educational institutions. Note For general enterprises, mobile websites, or API call-related applications, we recommend that you purchase OV certificates or certificates that provide a higher level of trust. | High | CAs verify the authenticity of an organization or an enterprise. | High | Email or phone call. You must submit the information for domain name ownership verification, a company profile, and a business license. | 3 to 7 business days |
|
EV | High-privacy websites that involve transactions, payments, and privacy data, including websites of large-sized enterprises and websites that involve industries such as finance and e-commerce. Note For financial or payment enterprises, we recommend that you purchase EV certificates. | Highest | CAs perform strict authentication. | Highest | Email or phone call. You must submit the information for domain name ownership verification, a company profile, and a business license. | 3 to 7 business days | DigiCert |
Certificate brands
The following table describes the certificate brands that support SSL certificates.
Certificate brand | CA | Description |
DigiCert | DigiCert, Inc. | DigiCert is a well-known and trusted CA and SSL certificate brand in the industry. All DigiCert certificates use prominent encryption technologies to provide enhanced security solutions for different websites and servers. DigiCert is formerly known as Symantec. |
GlobalSign and Alibaba Cloud | GMO GlobalSign Pte Ltd. | GlobalSign is an early CA in the industry. GlobalSign is committed to network security authentication and digital certificate services. GlobalSign is a trusted CA and SSL certificate brand. Compared with other brands of certificates, Alibaba Cloud certificates are more cost-effective. |