Server certificates are known as SSL/TLS certificates. It verifies and validates the identity of the certificate holder or applicant before authenticating it. It also establishes an encrypted communication channel and switches the protocol to HTTPS once installed on the server.
Table of Contents
What is SSL certificate
Server certificates are the most popular type of X.509 certificate. SSL/TLS certificates are issued to hostnames (machine names like ‘ABC-SERVER-02’ or domain names like google.com).
A server certificate is a file installed on a website’s origin server. It’s simply a data file containing the public key and the identity of the website owner, along with other information. Without a server certificate, a website’s traffic can’t be encrypted with TLS.
Technically, any website owner can create their own server certificate, and such certificates are called self-signed certificates. However, browsers do not consider self-signed certificates to be as trustworthy as SSL certificates issued by a certificate authority.
Get Your Free Linux training!
Join our free Linux training and discover the power of open-source technology. Enhance your skills and boost your career! Learn Linux for Free!How does the SSL Certificate work?
- A browser or server attempts to connect to a website (i.e. a web server) secured with SSL. The browser/server requests that the web server identify itself.
- The web server sends the browser/server a copy of its SSL certificate.
- The browser/server checks to see whether or not it trusts the SSL certificate. If so, it sends a message to the web server.
- The web server sends back a digitally signed acknowledgement to start an SSL encrypted session.
- Encrypted data is shared between the browser/server and the web server.
How to get a SSL Certificate
- generate a key pair
- use this key pair to generate a certificate signing request (CSR) that contains the public key and domain name of our website
- upload the request to a certificate authority
- download the certificate and install it on our web server along with the key pair
Why should we choose a paid SSL certificate?
Type of SSL Certificate
Free SSL certificates only come with a Domain Validation (DV) option. DV certificates are used only for providing a basic level of authentication. Usually, they are used for platforms such as small websites and blogs. Free SSL certificates don’t have the provision for Organization Validation (OV) and Extended Validation (EV) certificates. Whereas the paid SSL certificates do come with OV & EV options, which are absolutely necessary for protecting business websites.
Level of Validation
When it comes to verifying a website owner’s business details before issuing a free certificate, CA does not validate anything apart from the identity of the website owner. While in the case of paid SSL certificates, verification of the identity of the website owner is a must before issuing the certificate to the site owner and in the case of OV & EV certificates, in-depth verification of the business is carried out by the certificate authority (CA).
Validity Period
Free SSL certificates provided by popular CAs are issued for 30-90 days. As a result, the website proprietor must renew the certificate every 30-90 days. In the case of paid certificates, they can be issued for a period of 1-2 years.
Support
The certificate authorities (CAs) and resellers of paid certificates are committed to providing round the clock support to their customers. Those customers get to choose whichever type of support they want, be whether its chat, email or call. On the other hand, free CA’s don’t assist their customers with such remarkable support because they can’t afford to. If you need help with an issue regarding free SSL, you’re going to have sifted through a bunch of old forum posts to find it.
how to choose an SSL certificate
When choosing an SSL certificate, it is important to consider the type of encryption that is used. RSA is more widely used, but ECDSA is becoming increasingly popular due to its security features.
Another important factor to consider is the length of the certificate’s signature. The longer the signature, the more secure the connection will be. However, longer signatures can also lead to slower performance.
Finally, you should also consider the price of the SSL certificate. In most cases, you can find a good SSL certificate for a reasonable price.
Example of SSL Certificate
We can use openssl s_client command to check whether the certificate is valid, trusted, and complete.
openssl s_client -connect : This opens an SSL connection to the specified hostname and port and prints the server certificate.
openssl s_client -connect : -showcerts : Prints all certificates in the certificate chain presented by the SSL service. Useful when troubleshooting missing intermediate CA certificate issues.
If there is a connection problem reaching the domain, the OpenSSL s_client -connect command waits until a timeout occurs and prints an error, such as connect: Operation timed out.
$ openssl s_client -connect google.com:443
CONNECTED(00000005)
depth=3 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = *.google.com
verify return:1
Check who has issued the SSL certificate:
$ echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509 -noout -issuer
issuer= /C=US/O=Let's Encrypt/CN=R3
Check whom the SSL certificate is issued to:
$ echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509 -noout -subject
subject= /CN=www.howtouselinux.com
Check for what dates the SSL certificate is valid:
$ echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Aug 8 04:49:59 2021 GMT
notAfter=Nov 6 04:49:57 2021 GMT
Show the all above information about the SSL certificate
$ echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates
echo | openssl s_client -servername www.howtouselinux.com -connect www.howtouselinux.com:443 2>/dev/null | openssl x509 -noout -issuer -subject -dates
issuer= /C=US/O=Let's Encrypt/CN=R3
subject= /CN=www.howtouselinux.com
notBefore=Aug 8 04:49:59 2021 GMT
notAfter=Nov 6 04:49:57 2021 GMT
- Exploring SSL Certificate Chain with Examples
- Understanding X509 Certificate with Openssl Command
- OpenSSL Command to Generate View Check Certificate
- Converting CER CRT DER PEM PFX Certificate with Openssl
- SSL vs TLS and how to check TLS version in Linux
- Understanding SSH Key RSA DSA ECDSA ED25519
- Understanding server certificates with Examples
Matiere47
Sunday 22nd of October 2023
Wow, this is a great website! The layout is user-friendly and visually appealing. I found your post really helpful, thank you for sharing such valuable information!"
Izolacja akustyczna samochodu
Tuesday 10th of October 2023
I just wanted to express my gratitude for this post. It has been immensely helpful in solving a problem I was facing. Thank you for sharing your knowledge and expertise!
Galeria Sztuki
Monday 4th of September 2023
Your post has provided me with valuable guidance and practical tips. I'm grateful for the effort you've put into creating such a resourceful piece. Thank you for sharing your expertise!