At one look
What are the different types of SSL/TLS certificates?
SSL certificates are issued by official certificate authorities (CA). They verify the applicant and identify him as trustworthy. There are different types of certificates, which meet different requirements:
With this certificate, the certificate authority checks the applicant’s right to use a specific domain name. DV-SSL certificates can be issued very quickly because the certificate authority does not require any additional company documents.
In addition to the applicant’s right to use a specific domain, the certificate authority also checks some additional company information. A website with an OV SSL certificate shows the user more information about the operator of the website, imparting a greater level of trust.
In this case, the organization submitting the application is thoroughly vetted. The Guidelines for Extended Validation, published by the CA/Browser Forum in 2007, specify how the issuance process works. Organizations applying for this certification must verify, among other things, that the entity exists legally, materially and operationally, and has control over the domain.
A wildcard SSL certificate can be used to secure a base domain and any number of subdomains with a single certificate. This is usually much cheaper and less complex than having a separate certificate issued for each subdomain. For example, a Wildcard SSL certificate for the base domain example.com is also valid for login.example.com, mail.example.com or download.example.com.
How do businesses obtain an SSL/TLS certificate?
SSL certificates are generated and issued by a certificate authority. The trusted external organization also digitally signs the certificate with its own private key so that clients can verify it. After receiving the certificate, domain owners must install and activate it on the origin server. They should also ensure that the certificate is renewed in time to avoid the risk of it expiring and the encrypted domain becoming inaccessible.
However, this is becoming more and more of a hassle. In recent years, the maximum validity period of SSL certificates has steadily shortened. Initially, commercial certificates had a lifespan of up to five years, but in 2015 the maximum validity period was reduced to three years and finally to two years in 2018. Since fall 2020, SSL/TLS certificates have only been issued for up to 13 months. In addition, there are discussions about a general reduction of the validity period to a maximum of 90 days. Domain owners therefore have to worry about renewing their certificates at ever shorter intervals. Having a service provider automatically reissue the certificates can solve this problem.
How secure are SSL/TLS certificates?
Of course, even SSL/TLS certificates do not provide one hundred percent security. By exploiting vulnerabilities, attackers could prevent effective authentication and encryption via SSL/TLS. Entry points for possible attacks are:
Although resellers and hosting providers perform security audits before accepting a certificate authority, there is still a risk that criminals will attack such an authority and create arbitrary certificates on its behalf.
Intelligence agencies and investigative authorities can exploit vulnerabilities at certification authorities to eavesdrop on targeted connections using a valid certificate.
By using special intermediate CA certificates, attackers can hack into encrypted connections and analyze their content.
Some certificate authorities also handle the key generation. This poses a security risk, because the private key should be generated on the user’s own computer.
If the private key is stolen without the certificate holder being aware of it, attackers can use the key to decrypt encrypted data.