Secure Certificates Explained

Old door lock

The SSL certificate sits behind the padlock on a https web page. It is what allows a web page to be encrypted.

Why do we have SSL certificates?

There are 2 reasons

Encryption: Scrambles the data so it is only able to be read by the browser and the server.

Identity: To verify who you are. You are not on a sever pretending to be someone else

How SSL Certificates Work

A browser attempts to connect to a web site secured with SSL. The browser requests that the web server identify itself. The browser wants make sure it is talking to the right server.

The next step is to work out which cipher suite should be used. There are many different methods of encrypting data so it is important they "speak the same language.

The next step is exchanging keys. They browser and the swap keys so they can unlock data from each other.

Certificate signing

Each certificate can be self signed or signed by a third party.

A self signed certificate can be cryptographically strong. They are also free. The data between the browser and server is sufficiently scrambled to keep prying eyes away. However there is no way of verifying the identity server. That's why browsers will often give a warning about self signed certificates and ask if you trust the certificate.

A self signed certificate can be safe and secure as long as you trust the identity of the server.

Third party certificates can be issued by companies such as Thawte, Comodo, GoDaddy, or GeoTrust, Verisign etc.

They will go through a level of verification before they issue a certificate. The more information you provide the issuer, the stronger the proof of your identity. This raises the trust value of the certificate.

Types of certificates

Self signed

These can ensure a strong, secret connection between 2 computers but there is no way of verifying the identity of the server. You have to trust that they are who they say they are.

DV Certificates

Domain validated or DV certificates are the most common type of SSL certificate. They are verified using only the domain name. The certificate authority checks that the person who owns the domain name is the same person who is installing the certificate. Typically, the certificate authority checks with a confirmation email with an address listed in the domainΓÇÖs WHOIS record.


Organisation Validated (OV) SSL Certificates requite more validation and more trust. The certificate authority will try to verify at an organisational level. This means you may be required to submit documentation such as bank statement, copies of your business registration. The level depends on the certificate authority.


Extended Validation SSL is the highest level. In some browsers, this will show up as a green bar and the organisation name. They lend more credibility to your site and increases visitor trust. There is a stronger vetting process to verify who you are.

Do I need one?

That depends. If you have a login page or webmail on your server then a self signed certificate will do the job.

If you want others to login and use passwords, it can be done with a self signed certificate but users will get warning messages about unsafe/unverified certificates. A DV certificate will do the job.

For an ecommerce site, use at the very least a DV certificate. An OV or EV are better because ecommerce is about trust. People will buy from trustworthy sites.

We don't recommend you keep or store credit card details on your server no matter how strong your certificate is. Those details should always be stored on PCI DSS compliant server. Getting PCI DSS compliance is quite and expensive and thorough process. We recommend a third party such as a bank or an e commerce gateway like Paypal, Eway or Pin Payments to handle credit cards.

Certificates vary according to features and price. We can help you choose the right certificate for your needs.


Posted in Security on Feb 08, 2017