In a fast-paced hybrid-multi-cloud world where remote work and online communications are the norm, increasingly sophisticated cyberattacks continue to disrupt enterprises on a daily basis.
Crucially, to mitigate the risks, enterprises must protect the sensitive data being shared online. This requires SSL certificates, the gold standard to authenticate the identity of a website and ensure secure, encrypted communications over the internet.
But what exactly does this look like and how do SSL certificates benefit an enterprise?
SSL stands for Secure Sockets Layer, and these certificates are also referred to as TLS (Transport Layer Security) certificates. Issued by Certificate Authorities (CAs), SSL certificates create safe connections between a server and a browser. They’re powered by public key infrastructure (PKI) cryptography, which has kept sensitive data private and secure for organizations for more than 50 years.
PKI relies on two sets of keys, one private and one public, to encrypt and decrypt information exchanged online without giving access to unauthorized users. Think of a PKI-based certificate like a digital passport — SSL/TLS is the ‘S’ in ‘HTTPS’ that shows a visitor of a website it is safe and secure.
Who needs SSL certificates? In the past, the answer to this question was quite different. An enterprise could get away with simply having a certificate on its login or payment pages. Today, with the massive amounts of users and the machines they leverage (software, devices, bots, etc.) – aka human and machine identities – communicating online, the reality is every website needs a certificate. Browsers are moving to the idea that security is the default. It doesn’t matter if the website is an e-commerce site asking for credit card information, or a personal blog with little to no data collection. The benefits are real for everyone:
- Increase Website Transaction Rates: Research shows that visitors who see trust indicators in a company’s address bar are more likely to transact and associate positive attributes like superior customer service and trustworthiness to the business.
- Eliminate Web Browser Security Warnings: Firefox and Google Chrome require all web pages to be encrypted by SSL certificates. Any page that does not have a certificate will receive a “Not secure” warning to visitors.
- Boost SEO Ranking: SSL certificates are a simple and cost-effective way to boost a site’s SEO. Popular search engines improve the search rankings of SSL pages algorithmically.
- Maintain Compliance: Businesses can be penalized if they do not meet the regulatory and industry standards to protect personally identifiable information (PII), personal health information (PHI), credit card numbers, and other sensitive data.
- Enable Modern Browser Features: Browsers are increasingly tying newer features to the requirement for ‘secure contexts’ where sites and pages need to use certificates in order for those features to function correctly.
Categories of SSL Certificates
There are several different SSL certificate types for any enterprise need, the main differentiator being the level of authentication by the CA.
- Domain Validation (DV) SSL Certificates: This is the fastest, easiest, and most cost-effective solution to industry-standard encryption. DV certificates require proof of ownership for the secured domain and can be issued within minutes. These certificates display trust indicators in browsers like the padlock icon and the ‘https://’ string before the domain name. Since these are the easiest certificates to obtain, the legitimacy of the organization is not vetted by the CA, therefore they are not recommended for business websites. Rather, they are ideal for internal sites and test domains and servers.
- Organization Validation (OV) SSL Certificates: OV certificates are the next step up from DV certificates because an organization must prove it is the owner of the domain it wants to secure and confirm it’s a legally registered business. OV certificates can only be issued to registered organizations, not individuals. This makes them ideal for public-facing websites. OV certificates can be issued in one to three days.
- Extended Validation (EV) SSL Certificates: These certificates are the industry standard, providing the highest level of digital trust for business websites. They provide all the trust indicators of DV and OV certificates, in addition to a green address bar in select browsers that displays the authenticated company name in green next to the web address. Website owners must go through a stricter vetting process which is conducted by a human specialist. EV SSL certificates are recommended for all business sites, especially ones that ask for personal information from users because website visitors who see the green address bar are more likely to make online transactions. These certificates can be issued in one to five days.
There are also a variety of SSL certificate variations to choose from, based on a website’s number of pages, domains, and subdomains. These include:
- A standard single SSL certificate: As the name suggests, these are issued for just one domain name.
- A multi-domain SSL certificate: These can secure up to 250 domains, including subdomains, and are available in DV, OV, and EV validation options.
- A wildcard SSL certificate: Wildcard certificates can secure the main domain and an unlimited number of subdomains under the main domain. These are available in DV and OV options.
How Long Are SSL Certificates Valid?
The industry surrounding certificates is tightly regulated by groups such as the CA/B Browser Forum, and certificates must be renewed every 398 days (or sooner). SSL certificate subscriptions are available for up to a five-year period. It’s important to note the actual certificate in the subscription is still only valid for a maximum of 398 days.
A Macro-Level View
Now let’s put SSL certificates into the grand scheme of today’s modern enterprises. They are just one of several digital certificate types enterprises rely on to establish digital trust.
As enterprises fully embrace remote and hybrid work environments and security perimeters are massively expanding far beyond corporate firewalls, securing and authenticating all human and machine identities requesting access to networks is mission-critical to conducting business securely.
As such, digital certificates can also be used to manage multiple aspects of a user’s (human or machine) digital identity –anything from age, address, and email address, to digital signature, geo-location and more. Without going into all the technical details about the many other certificate types used today, think of it this way: certificates secure the digitization of many new businesses processes like:
- Securing cloud environments
- Using digital signatures to ensure trust in documents, emails, and code
- Securing DevOps containers
- Hyper-automation initiatives like Robotic Process Automation
The list goes on. With this explosion of identities requiring certificates, it’s critically important for businesses to effectively manage the certificates within their environments, regardless of which CA they originated from. This requires automated Certificate Lifecycle Management (CLM). Enterprises can’t rely on outdated or manual approaches like spreadsheets, because just one certificate outage can lead to devastating damage and loss of revenue and reputation (like the recent outage caused by Spotify’s failure to renew an SSL certificate).
Establishing digital trust today requires an identity-first security approach. From enabling secure online communications via SSL certificates to remotely signing documents, digitally signing emails, securing bots and DevOps containers – and in the very near future, navigating the new world of Web3 and the metaverse — digital certificates are front and center.
Nick France, CTO of SSL, Sectigo
Photo by regularguy.eth on Unsplash