#security #ssl #certificate #https #website #server
The SSL certificates are issued by organizations known as Certificate Authorities (CAs). These CAs act as trusted validators, thoroughly checking the identity and legitimacy of individuals or organizations requesting a certificate.
There are various CAs, like DigiCert and Comodo, that provide these certificates. While most SSL certificates are paid, there are also free options available, such as those from Let's Encrypt.
Additionally, for those working on local testing environments, there's the option to create self-signed certificates. These are particularly useful for development and testing purposes.
SSL Certificates Validation Levels:
SSL certificates come in three types: Domain Validated (DV) for basic security, Organization Validation (OV) for moderate security, and Extended Validation (EV) for high security.
The best choice depends on your website's security needs.
DV SSL is best for personal project websites and is the least expensive option. It requires the website owner to verify that the domain is registered to the domain owner.
Validates control of a domain
Enables https and the padlock icon in browsers
Issued quickly
The Organization (O) and Organization Unit (OU) fields both display “”
The Certificate Policies field shows an Object Identifier (OID) value of OID.2.23.140.1.2.1. The Subject field only contains a Common Name (CN) value with the domain, for example: CN=albinsblog.com.
OV SSL is best for business or nonprofit websites and requires a higher verification level, making it more secure. The SSL certificate issuer verifies the address and location of the owner.
Validates control of the domain
Enables https and the padlock image
Authenticates the legitimacy of an organization, adding a level of trust
Shows organization details in the certificate information
Issued in 1–3 days
The Organization (O) field displays your organization’s name.
The Subject field includes information about the organization’s location (L), state (ST), and country(C), in addition to the organization (O) and common name (CN).
The Certificate Policies field shows an OID value of OID.2.23.140.1.2.2.
EV SSL is best for e-commerce businesses and businesses exchanging financial data as it offers the most protection. In addition, these certificates provide the highest monetary warranties to any website viewers affected by an SSL failure.
Validates control of the domain
Enables https and the padlock image
Authenticates the legitimacy of an organization, adding a level of trust
Verifies the applicant has the right to request an EV SSL and is in good standing with the organization.
Shows organization details in the certificate information
Issued in 1–5 days
The Organization (O) field displays your organization’s name.
The Subject field includes details about the organization’s location (L), state (ST), and country(C), the organization (O) and common name (CN), additionally serialNumber, jurisdictionStateOrProvinceName and jurisdictionCountryName
The Certificate Policies field shows an OID value of OID.2.23.140.1.1.
Validates control of a domain:
Verification Email
DNS CNAME Record
DNS TXT Record
HTTP Practical Demonstration
There are different types of SSL certificates issued
Single Domain
Wildcard SSL Certificates
Multi-Domain Certificates
Multi-Domain Wildcard
CSR (Certificate Signing Request)/Private Key:
A CSR is a file containing website and domain information for SSL/TLS certificates.
Certificate Authorities (CAs) use CSRs to issue SSL/TLS certificates for secure website connections.
CSRs include a public key and signature for identity verification.
Private keys are essential for TLS certificates to work.
Private keys are created when requesting a certificate using a CSR.
Keep your private key confidential and accessible only to trusted administrators.
CAs like DigiCert don't create or have access to your private key.
The private key and SSL certificate are configured on the server for secure communication.
server.csr.cnf
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
C=US
ST=MN
L=Eagan
O=Tech Forum
OU=Marketing
emailAddress=admin@techforum.com
openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config server.csr.cnf
