What is an SSL certificate?
An SSL certificate is a digital certificate that authenticates a website and allows an encrypted connection. The abbreviation SSL stands for Secure Sockets Layer, a security protocol that creates an encrypted connection between a web server and a web browser.
Companies and organizations need to add SSL certificates to websites to secure online transactions and keep customer data private and secure.
SSL secures Internet connections and prevents attackers from reading or modifying information passed between two systems. If a padlock icon appears next to a web address in the address bar, this website is secured with SSL.
How it encrypts and what risks it mitigates
The use of SSL ensures that data transmitted between users and websites, or between two systems, cannot be read by third parties or systems, that is no man-in-the-middle (MITM) attack is possible because of an unencrypted connection. SSL uses certain algorithms to encrypt the transmitted data. This data includes all the data passing between a server and a client, including potentially sensitive information such as names, addresses, credit card numbers, authentication data, financial data and other important data.
The process works like this:
- The browser or server is trying to connect to a website (web server) that is secured with SSL.
- The browser or server requests authentication from the web server.
- In response, the web server sends a copy of its SSL certificate to the browser or server.
- The browser or server checks if this SSL certificate is trusted. If so, it reports this to the web server.
- The web server then returns a digitally signed confirmation and starts the SSL encrypted session.
- The encrypted data is shared between the browser or server and the web server.
This process is sometimes referred to as an SSL handshake. Although the description of this process looks long, in reality it takes milliseconds.
Public and private keys
As you know, the basis of all encoding methods is a key that helps to encrypt or read information. The SSL protocol uses an asymmetric cipher with two kinds of keys:
- Public. This is actually an SSL certificate. It encrypts data and is used when transferring user information to the server. For example, a visitor enters the number of his bank card on the site and clicks on the “Pay” button and the data is sent through HTTP.
- Private. Required to decode the message on the server. It is not transmitted along with the information, as is the case with the public key, and always remains on the server.
Certificate authorities
The main source of SSL certificates are trusted certification authorities or certification authorities (CAs). These are organizations that have undeniable authority in the IT services market and use a well-known public cryptographic key. In browsers, you can usually see a list of them in the “Trusted Root Certification Authorities” section.
A digital signature certified by the certificate of such a center is proof of the authenticity of the company that owns the domain name and determines the right of the owner to legally use the secret key. It’s “trusted.”
Not trusted signatures include:
- A self-signed certificate that the site owner issues to himself or herself. It also ensures the security of the connection, but it doesn’t guarantee the authenticity of the company. In this case, the browser will warn the visitor that the SSL is not secure.
- A certificate that is signed by an “untrusted” authority. In this case, the resource will be considered verified, but the “verifier” remains dubitable. Typically, such centers sell certificates to absolutely everyone, without verifying the authenticity of the company.
- A digital signature issued by a center that has lost trust.
Setting up certificates for WordPress sites
If you want to protect your users and improve webpage rankings, installing even a free SSL certificate on your WordPress site is one of the easiest ways. In this day and age, there is no real reason why one might decide to go without an SSL certificate. Getting one for your site is an absolute must.
First you need to purchase an SSL certificate from your hosting provider. Some services allow you to transfer the certificate to third parties. But first, make sure you don’t already have an SSL certificate. Certain hosting plans allow you to install an SSL certificate by default. There are also services like Let’s Encrypt, that allow you to obtain an SSL certificate for free.
Once you have purchased an SSL verifier, you need to install it.
Here you can either do it through your hosting’s settings – the recommended way – or use a specialized plugin. Many of them automatically make the necessary changes immediately after you purchase an SSL certificate for the site. Some plugins set up the certificate automatically immediately after their own activation – no action required from you. Here are the plugins you can use:
- Really Simple SSL
- WP Force SSL
After installing the SSL management plugin, you will need to change your WordPress settings. Go to the “Settings” section in the administration panel. Here you will see the text field “Website Address.” Make sure your domain prefix is “https” and there is no warning sign, which means that all the resources of your web pages are loaded through secure connection. This will help redirect users to protected content and will solve several problems with posts and pages that don’t display correctly at once.
Certificate expiration and autorenewal
As you know, SSL certificates have a limited validity period. This is a requirement of the CA/B Forum, the regulator of the SSL certification industry. A few years ago, it was quite legal to order three-year, four-year or even five-year SSL certificates. Today, SSL certificates can have a validity period of up to 27 months (2 years + 3 months, which are given to extend the validity of the previous certificate). The industry limits the maximum validity period of SSL certificates for security purposes.
So the SSL certificate needs to be renewed or replaced – either every year or every 2 years.
To check the availability, period of activity and content of the certificate installed on a site, use these online services:
- Serpstat
- Wormly
- Digicert
- Qualys
Alternatively, you can or click on the padlock icon in the browser address bar and check the certificate info.
Generally, SSL certificate providers send a reminder to customers regarding SSL renewal some days ago and some are providing additional renewal months if customers renew their SSL certificate beforehand.
If you’re using a certificate from Let’s Encrypt, they have an auto-renewal bot you can use.