What Is An SSL/TLS Certificate?

An SSL/TLS certificate is a digital object that allows systems to verify the identity & subsequently establish an encrypted network connection to another system using the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocol. Certificates are used within a cryptographic system known as a public key infrastructure (PKI). PKI provides a way for one party to establish the identity of another party using certificates if they both trust a third-party - known as a certificate authority. SSL/TLS certificates thus act as digital identity cards to secure network communications, establish the identity of websites over the Internet as well as resources on private networks.

Why are SSL/TLS certificates important?

SSL/TLS certificates establish trust among website users. Businesses install SSL/TLS certificates on web servers to create SSL/TLS-secured websites. The characteristics of an SSL/TLS-secured webpage are as follows:

  • A padlock icon and green address bar on the web browser
  • An https prefix on the website address on the browser
  • A valid SSL/TLS certificate. You can check if the SSL/TLS certificate is valid by clicking and expanding the padlock icon on the URL address bar
  • Once the encrypted connection has been established only the client & the webserver can see the data that is sent.

We give some benefits of SSL/TLS certificates below.

Protects private data

Browsers validate the SSL/TLS certificate of any website to start and maintain secure connections with the website server. SSL/TLS technology helps ensure the encryption of all communication between your browser and the website.

Strengthen customer confidence

Internet-savvy customers understand the importance of privacy and want to trust the websites they are visiting. An SSL/TLS-protected website has the green padlock icon, which customers perceive as secure. SSL/TLS protection helps customers know that their data is being protected when they share it with your business.

Supports regulatory compliance

Some businesses must comply with industry regulations for data confidentiality and protection. For example, businesses in the payment card industry must adhere to the PCI DSS. PCI DSS is an industry requirement for providing secure online transactions, including securing the web server with an SSL/TLS certificate. 

Improve SEO

Major search engines have made SSL/TLS protection a ranking factor for search engine optimization. An SSL/TLS-secured website will likely rank higher on the search engine than a similar website without an SSL/TLS certificate. This increases visitors from search engines to the SSL/TLS-protected website. 

What are the key principles in SSL/TLS certificate technology?

SSL/TLS stands for secure sockets layer and transport layer security. It is a protocol or communication rule that allows computer systems to talk to each other on the internet safely. SSL/TLS certificates allow web browsers to identify and establish encrypted network connections to web sites using the SSL/TLS protocol.

Encryption

Encryption means scrambling the original message so that it can only be decrypted by the intended recipient. For example, you change the word cat to ecv by moving every letter forward in the alphabet by two places. The recipient knows the rule (or key) and reverses each letter by two places to read the actual word. SSL/TLS encryption builds on this concept by using public key cryptography, with two different keys to encrypt and decrypt a message. PKI provides a way for one party to establish the identity of another party using certificates if they both trust a third-party - known as a certificate authority. The certificate authority verifies the certificate and authenticates both parties before communication commences.

The two types of keys are:

Public key

The browser and webserver communicate by encoding and decoding information using public and private key pairs.The public key is a cryptographic key that the web server gives the browser in the SSL/TLS certificate. The browser uses the key to encrypt the information before sending it to the web server.

Private key

Only the web server has the private key. A file that is encrypted by the private key can only be decrypted by the public key, and vice versa. If the public key can only decrypt the file that has been encrypted by the private key, being able to decrypt that file assures that the intended receiver and sender are who they claim to be.

Authentication

The server sends the public key in the SSL/TLS certificate to the browser. The browser verifies the certificate from a trusted third party. Hence, it can verify that the web server is who it claims to be.

Digital signature

A digital signature is a number unique to every SSL/TLS certificate. The recipient generates a new digital signature and compares it with the original signature to ensure that external parties did not tamper with the certificate as it travelled over the network.

Who validates SSL/TLS certificates?

A certificate authority (CA) is an organization that sells SSL/TLS certificates to web owners, web hosting companies, or businesses. The CA validates the domain and owner details before issuing the SSL/TLS certificate. To be a CA, an organization must meet specific requirements set by the operating system, browsers, or mobile devices company and apply to be listed as a root certificate authority. This is important to establish trust amongst internet users. For example, Amazon Trust Services is a certificate authority and can issue SSL/TLS certificates to websites. 

What is the validity period for the SSL/TLS certificate?

An SSL/TLS certificate has a maximum validity period of 13 months. The SSL/TLS certificate's validity has been gradually reduced over the years. The intention of doing so is to reduce security risks affecting businesses and web users. For example, untrusted third parties might use a valid SSL/TLS certificate from an expired domain to create an unauthorized website. 

By shortening the validity period, the chances of misusing SSL/TLS certificates are reduced. When the SSL/TLS certificate expires, web visitors receive a warning on the browser that the website is unsecured. The organization revokes the old SSL/TLS certificate and replaces it with a renewed one.The renewal process needs to happen before the previous certificate expires to avoid security incidents.

What is included in an SSL/TLS certificate?

An SSL/TLS certificate contains the following information. 

  • Domain name
  • Certificate authority
  • Certificate authority's digital signature
  • Issuance date
  • Expiration date
  • Public key
  • SSL/TLS version

TLS stands for transport layer security. It is a successor and continuation of the SSL/TLS protocol version 3.0. There are only slight technical differences between SSL/TLS and TLS. Like SSL/TLS, TLS provides an encrypted data transmission channel between a browser and the web server. Modern SSL/TLS certificates use the TLS protocol instead of SSL/TLS, but SSL/TLS remains a popular acronym amongst security experts. While not exactly the same, the terms SSL and TLS are commonly used to mean the same thing. They might also refer to the cryptographic encryption protocol as SSL/TLS.

How does an SSL/TLS certificate work?

Browsers use the SSL/TLS certificate to start a secure connection with the web server through the SSL/TLS handshake. The SSL/TLS handshake is a part of the hypertext transfer protocol secure (HTTPS) communication technology. It is a combination of HTTP and SSL/TLS. HTTP is a protocol that web browsers use to send information in plain text to a web server. HTTP transmits unencrypted data, which means that information sent from a browser can be intercepted and read by third parties. Browsers use HTTP with SSL/TLS, or HTTPS  for fully secure communication.

SSL/TLS handshake

The SSL/TLS handshake involves the following steps:

 

  1. The browser opens an SSL/TLS-secure website and connects to the web server.
  2. The browser attempts to verify the authenticity of the web server by requesting identifiable information. 
  3. The web server sends the SSL/TLS certificate that contains a public key as a reply.
  4. The browser verifies the SSL/TLS certificate, ensuring that it is valid and matches the website domain. Once the browser is satisfied with the SSL/TLS certificate, it uses the public key to encrypt and send a message that contains a secret session key.
  5. The web server uses its private key to decrypt the message and retrieve the session key. It then uses the session key to encrypt and send an acknowledgment message to the browser.
  6. Now, both browser and web server switch to using the same session key to exchange messages safely. 

Session key 

A session key maintains encrypted communication between the browser and web server after the initial SSL/TLS authentication is completed. The session key is a cipher key for symmetric cryptography. Symmetric cryptography uses the same key for both encryption and decryption. Asymmetric cryptography takes up immense computing power. Therefore, the web server switches to symmetric cryptography that requires less calculation to maintain an SSL/TLS connection.

What are the types of SSL/TLS certificates?

SSL/TLS certificates differ according to validation and domain. Certificates with different levels of validation are classified as:

  • Extended validation certificates
  • Organization validated certificates
  • Domain validated certificates

SSL/TLS certificates that support different domain types are:

  • Single domain certificate
  • Wildcard certificate
  • Multi-domain certificate

Extended validation certificates 

An extended validation certificate (EV SSL/TLS) is a digital certificate that has the highest level of encryption, validation, and trust. When applying for an EV SSL/TLS, an organization or web owner is subjected to stringent checks by certificate authorities. This includes verifying the physical business address, proper certificate application, and exclusive rights to use the domain. 

 

Businesses use EV SSL/TLSs to protect users against unauthorized third parties. This is important when the company processes sensitive data on the website, such as financial transactions and medical records. An EV SSL/TLS certificate contains details of the business organization, which can be viewed on a browser.

Organization validation certificates

Organization validation certificates (OV SSL/TLS) are second to the EV SSL/TLS in terms of validation and trust. Like EV SSL/TLSs, companies must go through a verification process when applying for the OV SSL/TLS. While the vetting process is less stringent, the applicants must prove domain ownership to the certification authorities.

The OV SSL/TLS certificate contains validated business information and can be inspected on the browser. Front-facing and commercial businesses use the OV SSL/TLS certificate to build trust amongst customers. The OV SSL/TLS provides robust encryption to protect customers' privacy when browsing the web. 

Domain validation certificates

Domain validation certificates (DV SSL/TLS) are digital certificates that have the lowest validation. They also cost the least to apply for. Unlike EV SLLs and OV SSL/TLSs, DV certificate applicants go through a less stringent vetting process. The applicant proves domain ownership by responding to a verification email or phone call.

A DV certificate does not contain complete information of the applicant's organization or business. Therefore, it does not provide high assurance to users. DV certificates are suitable for informational websites, such as blogs. They are not ideal for payment gateways, health care businesses, or other websites handling sensitive data.

Single domain SSL/TLS certificates

A single domain SSL/TLS certificate is an SSL/TLS certificate that only protects one domain or subdomain. A domain is the main URL or address of a website, such as amazon.com. A subdomain is a web address with a text extension that precedes the main domain, such as aws.amazon.com.

For example, you can use a single domain SSL/TLS certificate on http://example.com . However, you can't use the certificate for http://example.com and sub.example.com simultaneously.

Wildcard SSL/TLS certificates

A wildcard SSL/TLS certificate is an SSL/TLS certificate that protects a domain and all of its subdomains. For example, you can use a wildcard SSL/TLS certificate to protect http://example.com , blog.example.com, and shop.example.com.

Multi-domain SSL/TLS certificates

Multi domain certificates are also known as unified communications certificates. A multi-domain SSL/TLS certificate offers SSL/TLS protection for multiple domain names hosted on the same or different servers with the same ownership. For example, you buy a multi-domain certificate for http://example1.com , domain2.co.uk, shop.business3.com, and chat.message.au

What is AWS Certificate Manager?

AWS Certificate Manager (ACM) is a service that lets you easily provision, manage, and deploy public and private SSL/TLS certificates for use with AWS services and your internal connected resources. It removes the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates. Instead, you can quickly request a certificate and deploy it on ACM-integrated AWS resources, such as Elastic Load Balancing, Amazon CloudFront distributions, or APIs on Amazon API Gateway and let AWS Certificate Manager handle certificate renewals. It also enables you to create private certificates for your internal resources and manage the certificate lifecycle centrally.

Organizations use ACM to simplify the application, deployment, and renewal of SSL/TLS certificates. Instead of the conventional process of generating and submitting a certificate signing request (CSR) to a certificate authority, you can create an ACM-managed SSL/TLS certificate with a few clicks. 

Get started with AWS Certificate Manager by signing up for an AWS account today.

SSL Certification next steps with AWS

Check out additional product-related resources
Learn more about SSL Certification Services 
Sign up for a free account

Instantly get access to the AWS free tier. 

Sign up 
Start building in the console

Get started building with AWS hybrid cloud in the AWS Management Console.

Sign in