{"id":1541,"date":"2016-08-17T09:13:08","date_gmt":"2016-08-17T09:13:08","guid":{"rendered":"https:\/\/www.rapidsslonline.com\/blog\/?p=1541"},"modified":"2022-04-22T01:09:23","modified_gmt":"2022-04-22T06:39:23","slug":"how-website-security-certificate-works","status":"publish","type":"post","link":"https:\/\/www.rapidsslonline.com\/blog\/how-website-security-certificate-works\/","title":{"rendered":"How Does a Website Security Certificate Work?"},"content":{"rendered":"<h2>A quick peek at the inner-workings of your website\u2019s Security Certificate<\/h2>\n<p>You\u2019ve gone through the trouble of purchasing an SSL Certificate, installing it on your server and configuring your website so it\u2019s served over HTTPS. But have you ever stopped to think, how is this all working?<\/p>\n<p><!--more--><\/p>\n<h3>How Does an SSL Certificate Work?<\/h3>\n<p>Well, look no further, we\u2019re here to tell you.<\/p>\n<h3>What Happens When Someone Visits Secure Website?<\/h3>\n<p>To answer the question of <strong>how an SSL Certificate actually works<\/strong>, we need to start at the top. Long before we even get to website visitors and SSL handshakes.<\/p>\n<p>We\u2019re going back to the generation process.<\/p>\n<p>When you purchase an SSL Certificate, after you\u2019ve selected the Certificate Authority and the type of certificate you want, you\u2019re asked to fill out a Certificate Signing Request. This request is going to contain information about your company and the websites you want to secure.<\/p>\n<p>After filling out your CSR and submitting it, the CA will then vet your organization. Depending on the authentication level you\u2019ve chosen to go with, this process could require anything from simply proving you own the registered domain all the way to an extensive business verification process known as extended validation.<\/p>\n<p>For the sake of this discussion, we\u2019re going to assume you\u2019re a real company and will be undergoing business validation. Organization Validation or Extended Validation, which one doesn\u2019t matter right now for our purposes. Either way, the point is the same, the CA wants to know that you are who you say you are.<\/p>\n<p>Think of it like obtaining a driver\u2019s license. You fill out the application (which, in this example is the CSR), but then you still have to provide proof of identity. For a driver\u2019s license that requires a couple pieces of mail, maybe a birth certificate\u2014you know, documents that can confirm that you\u2019re you. For an SSL Certificate, it likely requires business registration documents, maybe a professional opinion letter\u2014you know, things that show you\u2019re a real business operating in good faith.<\/p>\n<p>After you satisfy that requirement, the CA (or DMV) issues your certificate (or license), using the information from your CSR (or application)\u2014OK, I think we can drop the Driver\u2019s License metaphor now.<\/p>\n<p>After the Certificate is issued, you install it, configure it and make sure your website is running correctly over HTTPS.<\/p>\n<h3>Now We\u2019re Ready for What Happens When Someone Visits Your Protected Website<\/h3>\n<p>So what happens once you have the SSL Certificate installed and someone visits? How does it work?<\/p>\n<p>Well, the first thing the visitor\u2019s browser (who we\u2019ll occasionally refer to as the client) does, is reviews said Certificate. When it does this it\u2019s going to ask four major questions:<\/p>\n<ul>\n<li>Who issued this?<\/li>\n<li>Is this valid?<\/li>\n<li>Has it been revoked?<\/li>\n<li>Does this belong to you?<\/li>\n<\/ul>\n<p>We\u2019ll go through it step-by-step.<\/p>\n<p>The first thing that the client wants to know is who issued the certificate. <a href=\"https:\/\/www.rapidsslonline.com\/\" target=\"_blank\" rel=\"noopener\">Browsers only recognize certificates from Trusted Certificate Authorities<\/a>. These CAs have agreed to abide by certain standards and as a result their roots are saved in the trusted stores of most browsers. Part of keeping you safe on the internet is being skeptical of everyone and everything, which is exactly how the browsers operate. They don\u2019t trust just any website or any certificate. But they do trust a handful of CAs.<\/p>\n<p>This is why the authentication process we talked about in the last section is important. The browsers trust certain CAs, and then those CAs go through the trouble of validating you and your company so they can issue you a certificate. By issuing the certificate that CA is essentially vouching for you. It\u2019s telling the browser, \u201cI checked this guy out before and he\u2019s solid, you can trust him too.\u201d<\/p>\n<p>This why you have to buy your Security Certificate from a trusted CA. Otherwise the browsers will reject the certificate outright.<\/p>\n<p>The next thing that happens is the client checks the validity of the certificate. SSL Certificates are issued with specific lifespans\u20141-3 years. When a browser is presented with a certificate it immediately checks that lifespan \u2013 when the certificate was issued, when it expires \u2013 and makes sure that it\u2019s still valid. If the certificate is expired, the browser rejects it outright.<\/p>\n<p>After that, the browser makes sure the Certificate hasn\u2019t been revoked. All CAs are required to publish the revocation status of all the certificates they\u2019ve issued as part of a Google initiative called \u201c<strong><a href=\"https:\/\/transparencyreport.google.com\/https\/certificates\">Certificate Transparency.<\/a><\/strong>\u201d There are three ways that a browser can check on the revocation status of a certificate \u2013 the most reliable being OCSP Stapling \u2013 but regardless of the method it chooses, it\u2019s looking to make sure the certificate is still good. CAs revoke a certificate for a number of reasons. Maybe the company that had the certificate issued to it changed URLs, maybe the certificate was mis-issued to begin with\u2014regardless the reason, no browser will accept a revoked certificate.<\/p>\n<p>The last thing the browser does is check to make sure that the website with the certificate installed is actually the certificate\u2019s rightful owner. It does this by having the server encrypt and decrypt a specific piece of data using its public and private keys. This is a relatively simple test, but one that can only be passed by the rightful owner of said key-pair.<\/p>\n<p>After all four questions are successfully answered the browser then knows that the certificate is legitimate and the rest of the <strong>how does SSL handshake work<\/strong>.<\/p>\n<h3>What is SSL Handshake?<\/h3>\n<p>The SSL Handshake is a process where the client and server verify the authenticity of the certificate and then negotiate an encrypted connection.<\/p>\n<p>We\u2019ve already covered the portion of the handshake where authenticity is verified, so let\u2019s talk about how the encrypted connection is negotiated. And keep in mind, this all takes place in just a matter of milliseconds.<\/p>\n<p>Various browsers (and versions of browsers) and various servers all have differing capabilities. These are all factors in determining the encryption strength of the connection. A certificate may advertise 256-bit encryption strength but depending on the capabilities of the parties being connected, that may vary. Either way, the client and server will quickly determine the details of their encrypted connection and then exchange symmetric \u201csession keys.\u201d<\/p>\n<p>These \u201csession keys\u201d allow both parties to encrypt and decrypt all subsequent communication between them. As the name implies, they are good for exactly one session. After the client leaves the site and the connection ends they are discarded and should the client come back, a new session key will be created.<\/p>\n<h3>That\u2019s Pretty Much It<\/h3>\n<p>So there you have it, that\u2019s pretty much <strong>How SSL Certificates Work<\/strong>. After they\u2019re purchased and installed they facilitate an encrypted connection via the use of symmetric session keys. When a browser reaches a site with an SSL Certificate installed, it begins by verifying the authenticity of the certificate and the server, before negotiating the details of an encrypted connection. At the point the session ends, the two symmetric keys are discarded.<\/p>\n<p>And as we said, this all occurs in just a matter of milliseconds.<\/p>\n<p>Really, there\u2019s a whole lot going on under the hood\u2014and now you know all about it.<\/p>\n<p><a href=\"https:\/\/www.rapidsslonline.com\/ssl-types\/domain-validation-ssl-certificates.aspx\"><img decoding=\"async\" src=\"https:\/\/www.rapidsslonline.com\/blog\/wp-content\/uploads\/2016\/08\/cheapdvssl-rapidsslonline.png\" alt=\"cheap dv ssl\" width=\"932\" height=\"246\" class=\"aligncenter size-full wp-image-2927\" srcset=\"https:\/\/www.rapidsslonline.com\/blog\/wp-content\/uploads\/2016\/08\/cheapdvssl-rapidsslonline.png 932w, https:\/\/www.rapidsslonline.com\/blog\/wp-content\/uploads\/2016\/08\/cheapdvssl-rapidsslonline-300x79.png 300w, https:\/\/www.rapidsslonline.com\/blog\/wp-content\/uploads\/2016\/08\/cheapdvssl-rapidsslonline-768x203.png 768w, https:\/\/www.rapidsslonline.com\/blog\/wp-content\/uploads\/2016\/08\/cheapdvssl-rapidsslonline-190x50.png 190w\" sizes=\"(max-width: 932px) 100vw, 932px\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A quick peek at the inner-workings of your website\u2019s Security Certificate You\u2019ve gone through the trouble of purchasing an SSL Certificate, installing it on your server and configuring your website &hellip; <span class=\"d-flex justify-content-end\"><a href=\"https:\/\/www.rapidsslonline.com\/blog\/how-website-security-certificate-works\/\" class=\"btn btn-blue\">Read More <span class=\"screen-reader-text\">How Does a Website Security Certificate Work?<\/span><\/a><\/span><\/p>\n","protected":false},"author":10,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[14],"tags":[],"class_list":["post-1541","post","type-post","status-publish","format-standard","category-ssl-certificate"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>How Does a Website SSL Security Certificate works?<\/title>\n<meta name=\"description\" content=\"Learn and understand about Website SSL Security certificate process. Guide on How Does an SSL Certificate Work? and What is SSL Handshake?\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.rapidsslonline.com\/blog\/how-website-security-certificate-works\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How Does a Website SSL Security Certificate works?\" \/>\n<meta property=\"og:description\" content=\"Learn and understand about Website SSL Security certificate process. Guide on How Does an SSL Certificate Work? and What is SSL Handshake?\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.rapidsslonline.com\/blog\/how-website-security-certificate-works\/\" \/>\n<meta property=\"og:site_name\" content=\"RapidSSLOnline Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/rsosslcertificates\/\" \/>\n<meta property=\"article:published_time\" content=\"2016-08-17T09:13:08+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-04-22T06:39:23+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.rapidsslonline.com\/blog\/wp-content\/uploads\/2016\/08\/cheapdvssl-rapidsslonline.png\" \/>\n<meta name=\"author\" content=\"Adam Thompson\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@rsossl\" \/>\n<meta name=\"twitter:site\" content=\"@rsossl\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Adam Thompson\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How Does a Website SSL Security Certificate works?","description":"Learn and understand about Website SSL Security certificate process. Guide on How Does an SSL Certificate Work? and What is SSL Handshake?","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.rapidsslonline.com\/blog\/how-website-security-certificate-works\/","og_locale":"en_US","og_type":"article","og_title":"How Does a Website SSL Security Certificate works?","og_description":"Learn and understand about Website SSL Security certificate process. Guide on How Does an SSL Certificate Work? and What is SSL Handshake?","og_url":"https:\/\/www.rapidsslonline.com\/blog\/how-website-security-certificate-works\/","og_site_name":"RapidSSLOnline Blog","article_publisher":"https:\/\/www.facebook.com\/rsosslcertificates\/","article_published_time":"2016-08-17T09:13:08+00:00","article_modified_time":"2022-04-22T06:39:23+00:00","og_image":[{"url":"https:\/\/www.rapidsslonline.com\/blog\/wp-content\/uploads\/2016\/08\/cheapdvssl-rapidsslonline.png","type":"","width":"","height":""}],"author":"Adam Thompson","twitter_card":"summary_large_image","twitter_creator":"@rsossl","twitter_site":"@rsossl","twitter_misc":{"Written by":"Adam Thompson","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.rapidsslonline.com\/blog\/how-website-security-certificate-works\/#article","isPartOf":{"@id":"https:\/\/www.rapidsslonline.com\/blog\/how-website-security-certificate-works\/"},"author":{"name":"Adam Thompson","@id":"https:\/\/www.rapidsslonline.com\/blog\/#\/schema\/person\/ab1f810704e5f52f23e62cf0a309fd56"},"headline":"How Does a Website Security Certificate Work?","datePublished":"2016-08-17T09:13:08+00:00","dateModified":"2022-04-22T06:39:23+00:00","mainEntityOfPage":{"@id":"https:\/\/www.rapidsslonline.com\/blog\/how-website-security-certificate-works\/"},"wordCount":1240,"commentCount":0,"image":{"@id":"https:\/\/www.rapidsslonline.com\/blog\/how-website-security-certificate-works\/#primaryimage"},"thumbnailUrl":"https:\/\/www.rapidsslonline.com\/blog\/wp-content\/uploads\/2016\/08\/cheapdvssl-rapidsslonline.png","articleSection":["SSL Certificate"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.rapidsslonline.com\/blog\/how-website-security-certificate-works\/","url":"https:\/\/www.rapidsslonline.com\/blog\/how-website-security-certificate-works\/","name":"How Does a Website SSL Security Certificate works?","isPartOf":{"@id":"https:\/\/www.rapidsslonline.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.rapidsslonline.com\/blog\/how-website-security-certificate-works\/#primaryimage"},"image":{"@id":"https:\/\/www.rapidsslonline.com\/blog\/how-website-security-certificate-works\/#primaryimage"},"thumbnailUrl":"https:\/\/www.rapidsslonline.com\/blog\/wp-content\/uploads\/2016\/08\/cheapdvssl-rapidsslonline.png","datePublished":"2016-08-17T09:13:08+00:00","dateModified":"2022-04-22T06:39:23+00:00","author":{"@id":"https:\/\/www.rapidsslonline.com\/blog\/#\/schema\/person\/ab1f810704e5f52f23e62cf0a309fd56"},"description":"Learn and understand about Website SSL Security certificate process. Guide on How Does an SSL Certificate Work? and What is SSL Handshake?","breadcrumb":{"@id":"https:\/\/www.rapidsslonline.com\/blog\/how-website-security-certificate-works\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.rapidsslonline.com\/blog\/how-website-security-certificate-works\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.rapidsslonline.com\/blog\/how-website-security-certificate-works\/#primaryimage","url":"https:\/\/www.rapidsslonline.com\/blog\/wp-content\/uploads\/2016\/08\/cheapdvssl-rapidsslonline.png","contentUrl":"https:\/\/www.rapidsslonline.com\/blog\/wp-content\/uploads\/2016\/08\/cheapdvssl-rapidsslonline.png","width":932,"height":246,"caption":"cheap dv ssl"},{"@type":"BreadcrumbList","@id":"https:\/\/www.rapidsslonline.com\/blog\/how-website-security-certificate-works\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.rapidsslonline.com\/blog\/"},{"@type":"ListItem","position":2,"name":"How Does a Website Security Certificate Work?"}]},{"@type":"WebSite","@id":"https:\/\/www.rapidsslonline.com\/blog\/#website","url":"https:\/\/www.rapidsslonline.com\/blog\/","name":"RapidSSLOnline Blog","description":"SSL Best Practices for Secure Website","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.rapidsslonline.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.rapidsslonline.com\/blog\/#\/schema\/person\/ab1f810704e5f52f23e62cf0a309fd56","name":"Adam Thompson","sameAs":["http:\/\/rapidsslonline.com"],"url":"https:\/\/www.rapidsslonline.com\/blog\/author\/adam-thompson\/"}]}},"_links":{"self":[{"href":"https:\/\/www.rapidsslonline.com\/blog\/wp-json\/wp\/v2\/posts\/1541","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rapidsslonline.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rapidsslonline.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rapidsslonline.com\/blog\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rapidsslonline.com\/blog\/wp-json\/wp\/v2\/comments?post=1541"}],"version-history":[{"count":0,"href":"https:\/\/www.rapidsslonline.com\/blog\/wp-json\/wp\/v2\/posts\/1541\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.rapidsslonline.com\/blog\/wp-json\/wp\/v2\/media?parent=1541"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rapidsslonline.com\/blog\/wp-json\/wp\/v2\/categories?post=1541"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rapidsslonline.com\/blog\/wp-json\/wp\/v2\/tags?post=1541"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}