General SSL Knowledge

Need for SSL:
  • You have an online store or accept online orders and credit cards.
  • You offer a login or sign in on your site.
  • You process sensitive data such as address, birth date, license, or id numbers.
  • You value privacy and expect others to trust you.

What Happens When a Browser Encounters SSL
  1. A browser attempts to connect to a website secured with SSL.
  2. The browser requests that the web server identify itself.
  3. The server sends the browser a copy of its SSL Certificate.
  4. The browser checks whether it trusts the SSL Certificate. If so, it sends a message to the server.
  5. The server sends back a digitally signed acknowledgement to start an SSL encrypted session.
  6. Encrypted data is shared between the browser and the server and https appears.

Encryption Protects Data During Transmission

Web servers and web browsers rely on the Secure Sockets Layer (SSL) protocol to help users protect their data during transfer by creating a uniquely encrypted channel for private communications over the public Internet. Each SSL Certificate consists of a key pair as well as verified identification information. When a web browser (or client) points to a secured website, the server shares the public key with the client to establish an encryption method and a unique session key. The client confirms that it recognizes and trusts the issuer of the SSL Certificate. This process is known as the “SSL handshake” and it begins a secure session that protects message privacy, message integrity, and server security.

Credentials Establish Identity Online

Credentials for establishing identity are common: a driver’s license, a passport, a company badge. SSL Certificates are credentials for the online world, uniquely issued to a specific domain and web server and authenticated by the SSL Certificate provider. When a browser connects to a server, the server sends the identification information to the browser. To view a websites’ credentials:
  • Click the closed padlock in a browser window
  • Click the trust mark (such as a Norton Secured Seal)
  • Look in the green address bar triggered by an Extended Validation (EV) SSL

Authentication Generates Trust in Credentials

Trust of a credential depends on confidence in the credential issuer because the issuer vouches for the credential’s authenticity. Certification Authorities use a variety of authentication methods to verify information provided by organizations. Digicert, the leading Certification Authority, is well known and trusted by browser vendors because of our rigorous authentication methods and highly reliable infrastructure. Browsers extend that trust to SSL Certificates issued by DigiCert.

Extend Protection beyond HTTPS

DigiCert SSL Certificates offer more services to protect your site and grow your online business. Our combination of SSL, vulnerability assessment, and daily website malware scanning helps you provide site visitors with a safer online experience and extend server security beyond HTTPS to your public-facing web pages. The Smart Seal and DigiCert Seal-in-Search technology help assure your customers that your site is safe from search to browse to buy.

Hypertext Transfer Protocol Secure, or HTTPS, is the layering of Secure Socket Layer (SSL)/Transport Layer Security (TLS) and HTTP protocols to create secure communication.
HTTPS indicates that the website has been authenticated by a third party Certification Authority (CA), and that the organization operating the website is who they claim to be. HTTPS is a visual indication that information is being exchanged for the session in a more secure way.
HTTPS appears in the URL when a website is secured by an SSL certificate. The details of the certificate, including the issuing authority and the corporate name of the website owner, can be viewed by clicking on either the lock symbol on the browser bar or the Norton Secured Seal posted on the page.
Websites that display HTTPS in the URL and include the green bar are secured by Extended Validation, the most stringently validated form of SSL. These websites go through the most industry mandated rigorous authentication procedures.
Another important step towards ensuring a user is protected as they view a website is having the site completely hosted over HTTPS, including all the content, images, and links. If not all of the web pages are loaded over HTTPS, the user can be susceptible to session hijack.

Phishing is the practice of a fraudulent website imitating an authentic site to gather credit card numbers, identities, or other private information from consumers without their permission. Usually, phishing or fraudulent websites look just like the real thing.
To distinguish a phishing site from a valid site, customers may look for subtle signs including requests for user names and passwords.
Where phishing sites often try to scare consumers into submitting their user name and password, a valid site will never scare visitors into providing this information.

Before submitting information or purchasing goods from an online merchant, you need to know that the company you are doing business with is who it claims to be.
While Web sites can buy server certificates from many different, Internet browsers are configured to trust only those server certificates that come from a few highly reputable companies.
When you visit an online business that is secured by DigiCert, Thawte, or Geotrust for example, you can be certain that the site is authentic.
While many consumers and merchants do not fully understand the detailed practices behind Digicert authentication services, they do know to look for the DigiCert Secured Seals as evidence that a business is real and that its site is a safe place to shop.
Every authenticated Web business gets the seal along with their certificate solution to increase customers’ confidence in their site. The Microsoft® Internet Explorer and Netscape® Navigator® browsers have built-in security mechanisms to prevent users from unwittingly submitting their personal information over insecure channels. If a user tries to submit information to an unsecured site (a site without an authenticated SSL Certificate), the browsers will by default show a warning, which can make the purchase process seem threatening.

The Digicert Trust Seal is a dynamic, animated graphic that displays on Web pages secured by Digicert SSL Certificates and Web sites authenticated by Symantec, now DigiCert.
When users click the Digicert seal, it opens a Digicert-generated verification page containing information about your Digicert SSL Certificate, your organization, and the status of your malware scan.
The Digicert seal, the most recognized trust mark on the Internet, is viewed up to 250 million times a day on more than 90,000 Web sites in 160 countries and in search results on enabled browsers as well as partner shopping sites and product review pages.

  • Sharing certificates on multiple servers increases the risk of exposure.
  • Auditing becomes more complex, reducing accountability and control. If a private key becomes compromised, it can be difficult to trace and all servers sharing that certificate are at risk.
  • Because sharing certificates degrades security, the Digicert certificate subscriber agreement prohibits customers from using a certificate on more than one physical server or device at a time, unless the customer has purchased additional server licenses.
  • DigiCert's licensing policy allows licensed certificates to be shared in the following configurations: redundant server backups, server load balancing, and SSL accelerators

When a browser connects to a server, the server sends the identification information to the browser.
To view a Web sites’ credentials do one of the following:
  • Click the closed padlock in a browser window
  • The most basic SSL Certificate only verifies domain name control, a low-level of authentication that may be used by fraudsters to make their sites appear trusted.
  • Click the trust mark (such as the Digicert Trust™ Seal, Smart Seal)
  • Look in the address bar*
Only SSL Certificates with EV trigger high-security Web browsers to display your organization’s name in a green address bar and show the name of the Certificate Authority that issued it.

SSL Certificates are credentials for the online world, uniquely issued to a specific domain and Web server and authenticated by the SSL Certificate provider. When a browser connects to a server, the server sends the identification information to the browser. To view a web sites’ credentials: Click the closed padlock in a browser window Click the trust mark (such as the Digicert Smart Seal and Trust™ Seal) Look in the address bar* Only SSL Certificates with trigger high-security Web browsers to display your organization’s name in an address bar.

Depending on the certificate you choose, Certificate Authorities (CA) will validate the certificate in different levels.
  1. Domain Validation Certificates: Ideal for non-critical web pages
    • Verifies ownership and control of the domain name only
    • Issued in minutes
    • Maintains browser compliance
  2. Organization Validation Certificates: Ideal for more sensitive webpages such as login pages
    • Enhanced validation including authenticating the identity of the applicant
    • Issued within one day
    • Maintains browser compliance
  3. Extended Validation Certificates: Ideal for sensitive webpages including e-commerce, online banking, account signups
    • A standards-based approach to authentication, representing the highest level of authentication for SSL Certificates
    • Typically issued within 1-3 days
    • Maintains browser and other industry compliance

Different types of SSL Certificates
Domain Validated Certificate:
  • Considered an entry-level SSL Certificate and can be issued quickly.
  • The only verification check performed is to ensure that the applicant owns the domain (web site address) where they plan to use the certificate.
  • No additional checks are done to ensure that the owner of the domain is a valid business entity.
Fully authenticated SSL Certificate:
  • The first step to true online security and confidence building.
  • Taking slightly longer to issue, these certificates are only granted once the organization passes a number of validation procedures and checks to confirm the existence of the business, the ownership of the domain, and the user’s authority to apply for the certificate.
Extended Validation (EV) SSL Certificates:
  • EV Certifctates offer the highest industry standard for authentication and provide the best level of customer trust available.
  • When a customer visits an EV SSL Certificate secured website, it field appears with the details of legitimate business along with the name of the security provider that issued the EV SSL Certificate.
  • It also displays the name of the certificate holder and issuing CA in the address bar.
  • This visual reassurance has helped increase consumer confidence in e-commerce.
Code Signing Certificates:
  • Are Certificates specifically designed to ensure that the software you have downloaded was not tampered with while en route?
  • Many cybercriminals tamper with software available on the Internet.
  • They may attach a virus or other malicious software to an innocent package as it is being downloaded.
  • These certificates make sure that this doesn’t happen.

Authentication is 3rd party verification of a Web site’s identity to establish trust.
Before Web visitors share username and password, payment information, or other personal data, they need to know that they can trust the Web site requesting it.
A company logo or brand name is not enough since these can be faked.
To protect against fraud and phishing sites, Web visitors look for proof that your business entity and Web site are legitimate.
This can be provided by a DigiCert SSL Certificate. Similar to the way a government agency verifies a birth date before issuing an identification card, an SSL provider (Certificate Authority) verifies an organization’s right to use a domain name and other required identification information.
SSL Certificates are uniquely issued to a specific domain and Web server.

Authentication and Encryption Explained:
  • Some CAs believe that encryption is enough to ensure a secure Web site and to build trust between you and your customers. But in fact, encryption is not enough; your Web site must be also authenticated, which will improve Web visitors’ trust in you and your Web site. Authentication means that a trusted authority can prove that you are who you say you are. To prove that your business is authentic, your Web site needs to be secured by best-of-breed encryption technology and authentication practices.
  • The Web presents a unique set of trust issues, which businesses must address at the outset to minimize risk. Customers submit information and purchase goods or services via the Web only when they are confident that their personal information, such as credit card numbers and financial data, is secure. The solution for businesses that are serious about e-commerce is to implement a complete e-commerce trust infrastructure based on encryption technology. Encryption, the process of transforming information to make it unintelligible to all but the intended recipient, forms the basis of data integrity and privacy necessary for e-commerce.

Authentication for new certificates could take as little as 1 hour or up to several days, depending on the verification information you provide and whether or not your certificates are pre-approved.
  • If your organization is the legal holder of the domain, you can expect to receive your certificate within 1 hour of your request.
  • Processing times for EV SSL Certificates may take longer due to additional verification requirements mandated by the Extended Validation (EV) SSL Guidelines

  • Digicert first tries to authenticate your company’s management responsibility through publicly available domain name registration information.
  • If we cannot automatically authenticate your domain name control, we require an authorization letter from that domain’s owner.
  • This step prevents applicants from fraudulently or accidentally obtaining SSL Certificates for domains that do not belong to them.
Only SSL Certificates with EV trigger high-security Web browsers to display your organization’s name in a green address bar and show the name of the Certificate Authority that issued it.

When you request an SSL Certificate, DigiCert verifies the existence of your business, the ownership of your domain name, and your employment status or authority to request the SSL Certificate.
We may require official government documentation proving your right to do business. These may include:
  • Articles of Incorporation
  • Certificate of Formation
  • Charter Documents
  • Business License
  • Doing Business As
  • Registration of Trade Name
  • Partnership Papers
  • Fictitious Name Statement
  • Vendor/Reseller/Merchant License
  • Merchant certificate
Our authentication and verification procedures are based on more than 15 years of practice authenticating commercial businesses.
These procedures are audited annually by KPMG using Statement of Auditing Standard 70 Type II, established by the American Institute of Certified Public Accountants.

  • Certificate Authorities use different authentication methods and levels to verify information provided by organizations.
  • The most basic SSL Certificate only verifies domain name control, a low-level of authentication that may be used by fraudsters to make their sites appear trusted.
  • DigiCert, the leading Certificate Authority, secures more than one million Web servers worldwide and is well known and trusted because of our rigorous authentication methods and highly reliable infrastructure.
  • DigiCert SSL Certificates are issued with either full business authentication or Extended Validation (EV) authentication.
  • The DigiCert Trust Seal and Smart Seal verification page also include the status of your daily malware scan.
Client certificates

S/MIME certificates prove the identity of online users by allowing you to sign and encrypt emails digitally. S/MIME certificates offer a proven encryption and authentication solution that secures the content of the email and embeds the sender's identity.
S/MIME Certificates

The header with the symbol will be displayed to indicate whether it is a signature or encrypted. If email is encrypted, a lock icon will be displayed, and if it is a signature, it shows an envelope icon. You can get the detailed information about certificates if you click on the displayed icons.
The Digital Signature badge on Receiver’s Email
S/MIME Certificates
Detailed information of your Digital Signature after clicking on the badge.
S/MIME Certificates

S/MIME utilizes cryptographic security features such as authentication, message integrity, and non-repudiation of origin (using digital signatures). S/MIME also helps enhance privacy and data security (using encryption) for electronic messaging. Email Encryption
  1. The original message will get captured after the sender clicks on the send message button.
  2. Once the original message is captured, the encryption process will use the receivers' public key.
  3. The encrypted message will be replaced by the original message, which the sender sent.
  4. Finally, the encrypted email is sent to the receiver.
S/MIME Certificates
  1. The receiver will get the encrypted email in its original format.
  2. The encrypted message is captured and needs to be decrypted.
  3. The message is decrypted using a private key from the receiver.
  4. Once the intended recipient decrypts the message, it can be read.
S/MIME Certificates

If your certificate is expired, the message you sent to the receiver cannot be trusted by the recipient’s client software. It would be best if you renew or buy a new certificate.

Message Privacy - Email privacy protects your emails against unauthorized access. If your email is encrypted with S/MIME, then your emails are only readable by the intended recipient. Any message or documents from the emails will be confidential between the sender and receiver.
Message Integrity - S/MIME certificates ensure that the inbox's message is the same message that the sender has sent. When a message is decrypted before reaching the receiver, it verifies the email content to ensure the sender's message is unchanged. If any changes are found in the email, then the decryption process fails, and hence, S/MIME certificates help you maintain the message integrity.
Tamper prevention - Your email will be safe from tampering if you encrypt it with S/MIME Certificates. It prevents malicious applications from editing your email and maintains integrity. It ensures receivers that the email they are about to open has not been tampered with and is safe for them to read.
Unaltered contents - Emails can't be modified when you encrypt them with S/MIME. S/MIME encrypted emails can only be read. The recipient will be notified if the original email is altered or modified in any way by an unauthorized third party.
Proof of authorship - It assures the recipient that the email they received is from the original sender. A secure email will display the recipient's relevant cues through a digital signature that guarantees email integrity and ensures message privacy. The digital signatures prove the authorship of the sender.

  • Apple Mail
  • CipherMail (for Android mobile devices)
  • Gmail (G Suite Enterprise and G Suite for Education)
  • IBM Notes
  • iPhone iOS Mail
  • MailMate
  • Microsoft Outlook and Outlook on the Web (formerly Outlook Web App)
  • Mozilla Thunderbird
Document Signing certificates

A digital signature is an encrypted hash of a message that can be decrypted by anyone who has a copy of your public key. Digital signatures improve the security and ease of document sharing; they have also increased the productivity of numerous businesses worldwide.

Digital certificates are used for various purposes. SSL Certificates, a type of digital certificate, are used to secure domains. However, digital certificates can also secure documents, software, emails, and more. Ask a DigiCert representative about what kinds of digital certificates could simplify your life and provide you added security.

Digital certificates include information like an ID card, except it is digital to be transferred quickly. Digital certificates include identifying the certificate holder (individual or organization) to ensure the identity is accurate. Like DigiCert, Certificate Authorities validate the authenticity of those who apply for a digital certificate before they issue the certificate to you.
Digital certificates utilize public-key cryptography. This means public and private key are used to ensure security and privacy. Digital certificates for secure emails start with the sender who uses their recipient’s public key to encrypt their message. Then, the recipient uses their private key to decrypt the message. Digital certificates for software and larger files are also encrypted, but first, they are passed through a hashing algorithm and made into a message digest. The message digest is encrypted with the sender’s private key. A digital signature is produced and then committed to the file.

Two-factor authentication is authentication taken to the next level. To sign documents, you must enter your two methods of authentication. You have likely seen people entering secure locations with a retina scan, fingerprint scan, voice authentication, or even facial recognition in various movies. These are methods of authentication. The two-factor authentication that DigiCert utilizes includes a password and a USB token- more cost-effective for you but still very secure authentication. This protects your digital certificates and provides you with peace of mind that no one can sign documents with your certificate.

CDS is an abbreviation for Adobe’s Certified Document Services which has been around since 2005. This is a document service that is being phased out. This program automatically trusts new digital IDs if the roots link to the Adobe Root Certificate. The new document signing that DigiCert offers is one of Adobe’s latest document offerings.

A digital signature is like showing your ID, and an e-signature is like a scribble on paper. Anyone could type an e-signature. At the same time, a digital signature has high assurance and password protection. If your digital signature is modified by anyone else, your PDFs will warn your recipients.
3 Levels of E-signatures:
  1. Image of your signature-easily forged.
  2. Typed signature-easily forged.
  3. Digital signature-near is impossible to forge!

Only your certificate(s) are saved on your token—not your signed documents. Save your documents to your computer or in another safe location.

Adobe checks the certificate’s validity, including expiration and revocation. Next, Adobe checks to see if the document has been altered during transmission. Lastly, Adobe checks the certificate’s root, or in other words, if the certificate is from a trusted and approved provider. DigiCert is one of the carefully selected providers on the Adobe Approved Trust List.
Code Signing certificates

No, a Code Signing certificate is tied to your Organization Name only. Our system requires the Common Name you are prompted to accept, but we will replace it in our system with the Organization Name you have entered in your CSR so that the correct details will be displayed when the signature on the code is viewed.

No, Digicert does not limit you to any specific number. You can sign as many applications with a Code Signing Certificate as you wish, provided that the applications are used for and distributed by the organization that owns the certificate.

Yes, the Thawte Code Signing Certificates are chained. The Code Signing Certificates are signed by the Thawte Code Signing CA Intermediate Certificate, chained to the Thawte Primary Root CA certificate.

Whenever an application attempts to access your system, it has the potential to do anything, be it expected, or unexpected. To safeguard users, any code seeking additional privileges must be signed. The certificate displayed, identifies the developer or organization deploying that code. The signature also prevents the code being 'tampered' and redeployed.

Your browser creates the required files during the enrollment process (except in the case of a JavaSoft Certificate). Our verification team then sets about verifying the details contained in the certificate request submitted to us once the enrollment has been completed. As soon as the details have been verified thoroughly, you are issued a DigiCert Code Signing certificate tied to your organization.

Digicert is a trusted certificate provider. We do not make or support any software. We are more than happy to help wherever certificates are used. However, in the case of software-specific issues, we may not always be able to help. The best people to contact will always be your software vendor.

Code Signing certificates are valid for 1 to 3 years, depending on which life cycle you choose while purchasing the certificate.
You should also timestamp your signed code to avoid your code expiring when your certificate expires.

Digicert timestamp services allow you to timestamp your signed code. Timestamping ensures that code will not expire when the certificate expires because the system validates the timestamp. If you use the timestamping service when signing code, your code’s hash is sent to the timestamp server to record your timestamp. A user’s software can distinguish between code signed with an expired certificate that should not be trusted and code signed with a Certificate that was valid at the time the code was signed but has subsequently expired.
Please specify the timestamp server URL you need when you sign your code. Digicert provides you with both SHA-1 and SHA-256 RFC 3161 timestamping URLs. The timestamp server validates the date and the time that the file was signed. Therefore the certificate can expire, but the signature will be valid for as long as the file is in production. A new certificate is only necessary if you want to sign an additional code or re-sign code that has been modified.
If you do not use the timestamping option during the signing, you must re-sign your code and re-send it to your customers.
To verify if your file has been timestamped, you can use the verifying commands in our knowledge base articles. The date and time will be displayed when the file has been timestamped. No dates or a warning will appear when the file has NOT been timestamped.
We Appreciate Your Feedback.
It only takes 30 Seconds
We are Social