SSL Certificates - Frequently Asked Questions
Got Questions? Well, you've arrived at the right place. Check out the frequently asked questions below regarding SSL Certificates. If you don't find the answer your looking for, please give us a call at 888-818-0444!
- How does SSL protect my website?
- How do I know if I need SSL?
- How does encryption work?
- How is the data authenticated?
- Just getting started with SSL?
- What encryption strength do I need for my website?
- What is Server Gated Cryptography (SGC)?
- What will I need to provide in order for VeriSign to verify my business identity?
- How long does verification take?
- Can I secure multiple servers with a single certificate?
The primary function of an SSL Certificate is to allow for the encryption of your visitor's private information when they submit it to you through a form. Each SSL Certificate contains unique and verified information about the certificate owner. A certificate authority (such as VeriSign or Thawte) verifies the identity of the certificate owner so the website visitor can have confidence that their information is being sent to the party they intended.
You need an SSL Certificate if you:
- - have an online store or accept online orders and credit cards
- - offer a login or sign in on your site
- - process sensitive data such as address, birth date, license, or ID numbers
- - need to comply with privacy and security requirements (HIPAA,PCI Compliance)
Think of making a phone call on a party line. Anyone listening to your conversation could eavesdrop on every word. An SSL Certificate establishes a private line of communication during the transmission of the information between the two points. Before the data is sent it is 'scrambled' in a nearly indecipherable manner to assure that only the recipient is capable of unscrambling it.
Each SSL Certificate consists of a public key and a private key. The public key is used to encrypt information and the private key is used to decipher it. When a Web browser points to a secured domain, a Secure Sockets Layer handshake authenticates the server (Web site) and the client (Web browser). An encryption method is established with a unique session key and secure transmission can begin. True 128-bit SSL Certificates enable every site visitor to experience the strongest SSL encryption available to them.
Every SSL Certificate is created for a particular server in a specific domain for a verified company. When the SSL Certificate reaches the server, the browser requires authentication information from the server. By clicking the closed padlock in the browser window or certain SSL trust marks (such as the VeriSign Secured Seal), the Web site visitor sees the authenticated organization name. In high-security browsers, the authenticated organization name is prominently displayed and the address bar turns green when an Extended Validation SSL Certificate is detected. If the information does not match or the certificate has expired, the browser displays an error message or warning.
Our partners at VeriSign have created a Beginner's Guide to Digital SSL Certificates. This guide is helpful for gaining an understanding of online security options.
Best security practices are to install a unique certificate on each server and choose a True 128-bit Certificate by purchasing a Server Gated Cryptography (SGC)-enabled SSL Certificate. A unique certificate keeps your private keys protected, and an SGC-enabled certificate ensures that every site visitor, no matter what browser or operating system they use, connects at the highest level of encryption their system is capable of. You need 128-bit or better encryption if you process payments, share confidential data, or collect personally identifiable information such as Social Security or Tax ID number, mailing address, or date of birth. You need 128-bit or better encryption if your customers are concerned about the privacy of the data they send to you.[Back to top]
Prior to January 2000, U.S. Government restrictions on U.S. vendors prevented the export of "strong" cryptography. As a result, many people purchased computers with operating systems and/or used export version browsers that supported only 40- or 56-bit SSL encryption. "Server Gated Cryptography" ("SGC") was developed to enable those restricted computers and export version browsers to "step up" to 128-bit SSL encryption. Without an SGC Certificate on the Web server, Web browsers and operating systems that do not support 128-bit strong encryption will receive only 40- or 56-bit encryption. Users with the following browser versions and operating systems will temporarily step-up to 128-bit SSL encryption if they visit a Web site with an SGC-enabled SSL Certificate
- Internet Explorer export browser versions from 3.02 but before version 5.5
- Netscape export browser versions after 4.02 and up through 4.72
- Windows 2000 systems shipped prior to March 2001 that have not downloaded Microsoft's High Encryption Pack or Service Pack 2 and that use Internet Explorer
Internet Explorer browser versions prior to 3.02 and Netscape browser versions prior to 4.02 are not capable of 128-bit encryption with any SSL Certificate.
VeriSign must verify the existence of your business, the ownership of your domain name, and your employment status or authority to request the SSL Certificate. We may require official government documentation proving your right to do business. These may include:
- Articles of Incorporation
- Certificate of Formation
- Charter Documents
- Business License
- Doing Business As
- Registration of Trade Name
- Partnership Papers
- Fictitious Name Statement
- Vendor/Reseller/Merchant License
- Merchant Certificate
If we cannot automatically authenticate your company's management responsibility for the domain name that is associated with the SSL Certificate, we will require an authorization letter from that domain's owner. This step prevents applicants from fraudulently or accidentally obtaining SSL Certificates for inappropriate domains.
Authentication for new certificates could take as little as 1 hour or up to several days, depending on the verification information you provide and whether or not your certificates are pre-approved. VeriSign can authenticate your organizational and contact information and store the information's pre-approved status for future certificate requests when you purchase units using a VeriSign Certificate Center Enterprise Account. When you submit a certificate request that contains the authenticated information, VeriSign needs only to verify the domain. If your organization is the legal holder of the domain, you can expect to receive your certificate within 1 hour of your request. Processing times for Extended Validation SSL Certificates may take longer due to additional verification requirements mandated by the Extended Validation (EV) SSL Guidelines.
The VeriSign Certificate Subscriber Agreement prohibits customers from using a certificate on more than one physical server or device at a time, unless the customer has purchased the Licensed Certificate Option. When private keys are moved among servers - by disk or by network - accountability and control decrease, and auditing becomes more complex. By sharing certificates on multiple servers, enterprises increase the risk of exposure and complicate tracing access to a private key in the event of a compromise. VeriSign's Licensing Policy allows licensed certificates to be shared in the following configurations: redundant server backups, server load balancing, and SSL accelerators. See Licensing VeriSign Certificates: Securing Multiple Web Server and Domain Configurations (PDF) for more information.
In the case of RapidSSL Certificates and GeoTrust SSL Certificates, effective October 1, 2010 certificates are now sold under an unlimited server licence which will allow a single certificate to be used on multiple servers.