 |
SSL Certificates FAQ
|
|
|
SSL Basics
Questions
What
is Secure Sockets Layer (SSL)?
What
is Public Key Infrastructure (PKI)?
What
is Extended Validation (EV) SSL?
What
is Server-Gated Cryptography (SGC)?
What
is a Certification Authority (CA)?
What
is a Certificate Signing Request (CSR)?
Can
I secure multiple servers with a single certificate?
How
do I download the VeriSign Secured Seal for my Web site?
Can
I try an SSL Certificate before purchasing?
Answers
What is Secure Sockets Layer
(SSL)?
The Secure Sockets Layer protects data transferred
over http using encryption enabled by a server’s SSL Certificate. An
SSL Certificate contains a public key and a private key. A public key
is used to encrypt information and a private key is used to decipher
it. When a browser points to a secured domain, an SSL handshake authenticates
the server and the client and establishes an encryption method and a
unique session key. They can begin a secure session that guarantees
message privacy and message integrity.
What is Public Key Infrastructure
(PKI)?
Public Key Infrastructure is the network security
architecture of an organisation. It includes software, encryption technologies
and services that enable secure transactions on the Internet, intranets
and extranets.
What is Extended
Validation (EV) SSL?
In 2006, a group of leading SSL Certificate
Authorities (CAs) and browser vendors approved standard practices for
certificate validation and visibility called the Extended Validation
Standard (known during development as 'High Assurance'). To issue an
SSL Certificate that complies with the standard, a CA must adopt the
extended certificate validation practice and pass an audit. When shoppers
visit a Web site secured with an EV SSL Certificate, new high-security
browsers will trigger the address bar to turn green and display the
name of the organisation listed in the certificate as well as the Certificate
Authority. The browser and the Certificate Authority control the display,
making it difficult for phishers and counterfeiters to hijack your brand
and your customers.
What is Server-Gated Cryptography
(SGC)?
U.S. government restrictions on U.S. vendors
prevented the export of “strong” cryptography several years ago. As
a result, many people purchased computers or downloaded export version
browsers supporting only 40- or 56-bit SSL encryption. Microsoft developed
"Server Gated Cryptography" ("SGC") and Netscape
developed "step-up" technology to enable 128-bit SSL encryption
with export browser versions.
SGC allows users with an export version browser
temporarily to step-up to 128-bit SSL encryption if they visit a Web
site with an SGC-enabled SSL Certificate. Without an SGC certificate
on the Web server, Web browsers and PCs that do not support 128-bit
strong encryption will receive only 40- or 56-bit encryption.
What is a Certification Authority
(CA)?
When VeriSign issues an SSL Certificate, we
act as a Certificate Authority (CA). VeriSign digitally signs each certificate
we issue. Each browser contains a list of CAs to be trusted. When the
SSL handshake occurs, the browser verifies that the server certificate
was issued by a trusted CA. If the CA is not trusted, a warning will
appear. When high security browsers recognise an Extended Validation
SSL Certificate, they display the name of the CA next to the browser
bar. VeriSign is one of the most trusted CAs on the Internet. (See VeriSign
Secured Seal Research Review.) The VeriSign Trial Root CA
is for testing purposes only and is not included in any browser’s trust
list.
What is a Certificate Signing
Request (CSR)?
The CSR is a string of text generated by your
server software. You provide this string of text to VeriSign during
the enrolment process. To generate a CSR, you will need to know what
kind of server software is running on your Web server.
Can I secure multiple servers
with a single certificate?
The VeriSign subscriber agreement prohibits
customers from using a certificate on more than one physical server
or device at a time, unless the customer has purchased the Licensed
Certificate Option. When private keys are moved among servers - by disk
or by network - accountability and control decrease, and auditing becomes
more complex. By sharing certificates on multiple servers, enterprises
increase the risk of exposure and complicate tracing access to a private
key in the event of a compromise. VeriSign’s licensing policy allows
licensed certificates to be shared in the following configurations:
redundant server backups, server load balancing and SSL accelerators.
See Licensing VeriSign Certificates: Securing Multiple Web Server and
Domain Configurations for more information.
How do I download the VeriSign
Secured Seal for my Web site?
The VeriSign
Secured Seal is available for display on any Web page within
a domain secured by a VeriSign
SSL Certificate. Whether you are a new or existing customer,
you can download and install the VeriSign Secured Seal on your server.
A JavaScript verifies your common name and displays the seal. When site
visitors click on the seal, they receive a dynamically generated verification
page specific to your certificate. The Secured Seal may take up to 2
hours to display the first time you install it for any given common
name.
Can I try an SSL Certificate
before purchasing?
You can test SSL in a pre-production server
environment with a trial SSL Certificate free for 14 days. SGC-enabled
and Extended Validation SSL Certificates are not available in a trial
version. Learn
more about our Free SSL Trial.
|
|
