Quinn Labs: A website about building websites

how to tls

How to get a TLS (SSL) certificate

November 17, 2014
Authors:
Tags:

Introduction

Because TLS certificates are based on complex mathematical principles of public-key cryptography, there is a certain, unavoidable level of intricacy to the process. This brief guide aims to make the process of getting your certificate as painless as possible.

Some key details to keep in mind (these may seem obvious, but getting them right is critical):

  • You’ll need to decide on the exact (“canonical”) domain name or names of your site. At a minimum, you should procure a dual-name certificate that covers both your bare domain and the “www” subdomain. (Example: example.com and www.example.com)
  • There’s a critical piece of information called the private key. It’s essential that it be kept private at all times. That means it should only be moved around through secure transmission methods, never in an email or instant message.
  • Other files relating to the TLS process, including the CSR (certificate signing request) and the certificate itself, are public information and are okay to send around by insecure means.

The process, step by step

The TLS (also know as SSL) certification process goes like this. It’s a little odd in that you buy the certificate before you even create the certificate signing request.

  1. You choose the domain name (such as example.com + www.example.com) that the certificate is to cover.
  2. You buy a certificate from a CA (certificate authority) like ssls.com.
  3. You collect the following basic contact information to incorporate into the CSR:
    • City or other locality
    • State or Province name
    • Organization name
    • Organizational unit (if any)
    • An email address for a technical contact or web manager
  4. With this information someone having the technical skills (like your web developer or sys admin) generates your server’s private key and CSR.
  5. You send the CSR to your CA, usually by pasting the text into a web form.
  6. The CA verifies you.
  7. The CA sends you your certificate.
  8. You install the certificate on your server.

Different levels of ID verification (vetting)

Pricing varies depending on how much vetting of the domain owner the CA performs. The more vetting, the more cost. Some Web browsers indicate the level of vetting in the toolbar. For example, quinn.com uses a basic certificate that encrypts the connection and certifies that the domain name matches the certificate. The CA has not fully verified our identity.

Quinn Interactive Certificate

Financial institutions tend to use more fully verified certificates. See schwab.com, for example.

Charles Schwab Certificate

Which certificate to buy

At the vendor we’re using for our example, you have the following choices for dual-name certificates:

  1. RapidSSL
  2. QuickSSL
  3. True BusinessID
  4. True BusinessID with EV

From the standpoint of website visitors, the only one with a visual impact built into browsers is the “True BusinessID with EV”. That one will light up the “green bar” in the web browser, as described above. Therefore, you will most likely want either #1 or #4, as there is no compelling reason to choose the ones in between.

Certificate lifetime

Certificates are good for a limited number of years, so there is a periodic renewal/reinstallation/re-verification expense.

Wildcard certificates

If you want to cover a large number of server names in one domain, you can buy a wildcard certificate. Instead of providing a canonical domain name for a particular server, you’ll specify a wildcard, such as *.example.com. This will cover any subdomain of example.com. There are a few restrictions:

  • The “*” covers only one level of name. For example, blog.example.com would be covered, but not blog.tech.example.com.
  • Wildcard certificates cost quite a bit more, so it is more cost-effective to have separate certificates for a small number of discrete subdomains.
  • EV certificates are not available for wildcard domains.

Glossary

CA
Certificate Authority. An organization that issues certificates that web browsers recognize as valid.
certificate
See TLS certificate
CSR
Certificate Signing Request. A file containing information that a CA uses to create a TLS certificate.
SSL
Secure Sockets Layer. An old name for an early version of TLS. Commonly used as a synonym for TLS.
TLS
Transport Layer Security. A set of standards for maintaining secure internet connections.
TLS certificate
A file that, when combined with the private key on your web server, enables the web server to communicate securely with web browsers.
Web browser
Software that displays web sites on computers, tablets, or mobile devices. Examples: Chrome, Firefox, Safari, and Internet Explorer.
Web server
A computer that provides a web site on the internet.

About the Author

  • Fred Condo

    Fred has a Ph.D. in the Management of Information Systems and Cognitive Psychology from Claremont Graduate School, and is Chief Engineer at Quinn Interactive. He taught a graduate level class, “Principles of Usability” at the Academy of Art in San Francisco, and was an Assistant Professor in the Communication Design department at California State University, Chico for 6 years, teaching web development and human factors. Fred got into SilverStripe in 2008. He has made 35 commits to the SilverStripe framework repository, which makes him the 36th-most prolific contributor to the project (as of November 2014). You should follow him on GitHub here.

    More from Fred Condo