What is SSL?

By default, all data sent to and from a server is sent in plain text. This leaves all users vulnerable to eavesdropping. It is fairly easy for someone to intercept such data and if left unencrypted, they can see all of that information. They may store it and use it however they wish.

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are standard security technologies for creating an encrypted channel between a server and a computer, whether over the internet or in an internal network. The secure link encrypts all data passed between them in both directions, ensuring all information is kept private as it cannot be decrypted and understood even if it is seen by others.

Once SSL is configured on the server, very little (if any) interaction is required from the end user to secure the communication.

When using SSL, the browser will display a padlock, and in the case of an EV SSL the browser's address bar will turn green to indicate SSL is in use.

What is SSL used for?

SSL creates encrypted channels between a server and a computer. This should always be used to secure all information which is private and confidential.

The most common use is between a web server and a browser, other common uses are to secure email, FTP and other apps. In fact any program which transmits sensitive data.

A common misconception a few years ago was that SSL should only be used for financial data, such as credit card numbers. However, we still hear a few web site owners being told this, especially from their web designer or web host.
All sensitive data should be encrypted, such as login credentials and clients personal data (email address, delivery addresses, phone etc).

There is now an initiative lead by big names in the internet industry (especially Google) to ensure every website is encrypted with SSL. Google has announced plans to penalise websites which do not use SSL and show warnings on non-secure sites that have input forms.

SSL used to secure a website not only encrypts data, some SSL Certificates also verify the website owner's credentials, such as the business validated SSL certificates OV and EV SSL. This increases trust and confidence with the end user, and can also prevent users from interacting with a spoof website.

The different types of SSL certificate

There are many options and choices with SSL certificates and it can be difficult to know which SSL certificate is right for you. The common choices, such as validation method or whether to secure a single domain, purchase a wildcard or go for the SANs option, can be confusing so we have explained the differences below. However, we are here to help and advise, so please contact us if you require any advice.

Validation Options

All SSL certificates need to be validated by a CA to be trusted and prevent misuse. There are three validation methods, Domain Validation (Personal SSL), Organisation Validation (Business SSL) and Extended Validation (EV SSL).

Domain Validation

Domain Validation is the quickest and easiest to obtain but also the least secure SSL certificate.
The SSL certificate issued will encrypt data but not authenticate an organisation.
Validation is achieved by an "Approver Email" sent to a stipulated email address containing a link to approve the order.

Organisation Validation

Organisation Validation is the standard validation type for businesses and organisations. It is the minimum requirement for websites dealing with vulnerable persons or children, such as schools and colleges.
The SSL certificate issued will encrypt data and authenticate the organisation if the site seal is displayed.
Validation is achieved by the CA performing background checks on your business or organisation.

Extended Validation (EV)

Extended Validation is the strongest and most secure, the default used by financial institutions and many companies wishing to fully protect their website users.
The SSL certificate issued will encrypt data and authenticate the organisation immediately in the browser's address bar.
Validation is achieved by the CA performing extended background checks on your organisation.

Single domain, Wildcard SSL or Multi-domain

Some SSL certificates have the ability to protect more than one FQDN or website address.
Depending upon your requirements, you may need a certain type of SSL certificate. In other cases, it may be possible to replace multiple certificates with a wildcard SSL certificate or a multi-domain SSL certificate, and could work out much easier in terms of validation and installation time, plus it may be more cost effective.

Secure a Single Domain

Securing a single domain or FQDN is the most common option, with www. being the most common subdomain secured. Often, the non-www version is automatically added by the CA. This will secure any pages of your website using the subdomain secured, for example:
Let's assume you have a SSL Certificate for www.example.com - you can then change your links to https:// and secure the following:

  • https://www.example.com/
  • https://www.example.com/any_page.html
  • https://www.example.com/any_script.php
  • https://www.example.com/any_folder/page.html
  • https://www.example.com/nested/folders/page.html

Note that you cannot secure any page which does not begin with https://www.example.com for example, https://blog.example.com

Benefits of a Wildcard SSL Certificate

A wildcard SSL Certificate is ordered for the subdomain "*." and will secure any subdomain of the remainder of the common name.
So, for example let's assume you order a wildcard SSL certificate for *.example.com - you can then change your links to https:// and secure the following:

  • https://www.example.com/
  • https://blog.example.com/
  • https://cart.example.com/
  • https://secure.example.com/
  • https://login.example.com/

Just as with the single domain SSL Certificate, you can secure any page, folder, nested folders or combination of these.

Note however, that a wildcard certificate will not secure multiple levels below the common name. So, for example let's assume you order a wildcard SSL certificate for *.example.com, it will secure https://blog.example.com/ but not https://www.blog.example.com/ (it may be simpler to think of it as the "*." element cannot contain a ".")

Wildcard certificates are not restricted to just the "*." before the domain name. You can order a wildcard certificate for sub-domains too. For example, *.staff.secure.example.com

Multi-domain SSL Certificate (or SANs / UC Certificates)

Multi domain SSL Certificates are common for Unified Communications servers but can be used for many other applications. Similar to the single domain SSL Certificate, with the exception that you then add other FQDNs into the SANs field of the certificate, providing you own (are the registrant) and control all of the domains in the SSL certificate.
A common scenario may be:

  • www.example.com
  • autodiscover.example.com
  • mail.example.com
  • mysql.example.com
  • www.example.org
  • www.example.edu
  • www.domain.ssl
  • www.website.any

How to purchase SSL certificates

When placing an SSL order you will need to follow the following steps:

  1. Place an order with us
    You can place the order with us by clicking the buy now button in the section you wish to purchase from. You will then have the option the select the certificate and validity period. Payment is required at this point, before you configure the order.
  2. Generate a CSR
    This will need to be generated on the server where you want to install the SSL certificates. If you do not have admin access to your server, your hosting company will need to generate one for you.
    Please remember to include the "www." in the common name if necessary and if you are ordering a wildcard certificate the common name must start with "*."
    The key size must be 2048 bit, as 1024 bit is no longer accepted.
    For help generating a CSR please see our CSR Generation help section.
  3. Configure the order with the CSR and your chosen approver email address
    Once the order has been paid for you will receive an email with a link attached for you to configure your SSL certificate. Just follow each step and make sure all the fields are filled in correctly.
  4. Click the link in the approver email
    For domain validated certificates you must select an approver email address from a given list. You may need to set up one of these addresses to receive email. You must click on the link in the email to validate your order.
    For organization and extended validated certificates you can select any approver email address as you won't actually receive an approver email.
    For CA specific information please see our Approving Your Order help section.
  5. Receive the certificate
    Once you have clicked on the approver email for domain validated certificates, your certificate will be issued within 5-10 minutes and sent straight to you by email. For organization and extended validated certificates the vetting process will take a little longer, depending on the CA. Once issued the certificate will be sent straight to you by email.
  6. Install the certificate with the intermediate on your server.
    For help installing your SSL Certificate please see our Installation Instructions help section.

CSR Generation

For help generating a CSR, please visit either:

• this Sectigo / Comodo Knowledgebase article
• this DigiCert / RapidSSL Knowledgebase article
• this GeoTrust Knowledgebase article

Approving Your Order

All domain validated orders need to be approved by you after the order has been placed, before the certificate can be issued.

Business SSL (organisation and extended validation) certificates will be validated by the CA

Normally, approving a domain validated order is achieved by following a link in an email sent to you. Contact us if you need the link resending or you wish to use a different validation method such as HTTP or DNS

Approving a DV order without email

NOTE: This applies to Sectigo (formerly Comodo CA) SSL certificates only.

There are many reasons why customers cannot use email validation, for example, company restrictions on which email addresses are allowed, email is not enabled for this domain or the quantity of email accounts you may have is restricted by your hosting company.

If you are unable to use email validation for a DV SSL certificate you have ordered, there are a few other options available.

DNS CNAME

There is an option to add a CNAME record to your domain's DNS, such as:
c1d840ec7d195366e5a3d89afdbd2914.example.com. CNAME 547ec0ab58a2d355d705997a242d10ee93159c0a.comodoca.com

HTTP Hash

There is an option to add a hash file to your website so it can be accessed via HTTP, such as:
http://example.com/C1D840EC7D195366E5A3D89AFDBD2914.txt
You will be provided with the validation file to upload and the link which will be used. Please ensure the link works after uploading the file!

HTTPS Hash

There is an option to add a hash file to your website so it can be accessed via HTTPS, such as:
https://example.com/C1D840EC7D195366E5A3D89AFDBD2914.txt
You will be provided with the validation file to upload and the link which will be used. Please ensure the link works after uploading the file!

Domain Validated Manual Vetting

Occassionaly CAs are required to manually vet or approve your order.

Typically, this takes 24-48 hours for a certificate manager to check and either issue or reject your order.

Make sure your website is online and working while they perform their checks. If they cannot see your website, they will reject the order.

Common reasons for manual vetting include:

  • Country: certain countries will automatically require manual vetting.
  • Brand Names: your domain may contain a brand name. Occasionally they are difficult to spot, like hosting.tld (ING bank) or bibmakers.tld (IBM)
  • Specific Words: words such as bank or payment will flag the order for review.

Installation Instructions

For help installing your SSL Certificate, please visit either:
• this Sectigo / Comodo Knowledgebase article
• this DigiCert / RapidSSL Knowledgebase article
• this GeoTrust Knowledgebase article

CAA (Certificate Authority Authorization) DNS Records

All CAs are now required to check the domain name's DNS for a CAA record prior to issuing any SSL certificates for that domain.

If configured, CAA records in a domain name's DNS will specify which CAs may issue certificates for your domain. DNS providers and hosting control panels have been slow to implement this, so if you wish to add a CAA record, you will need to ensure your provider has the capabilities or choose one which has.

You do not need to create a CAA record to obtain SSL certificates, only if you wish to restrict which CAs can issue them.
If no CAA records are set, any CA can issue SSL certificates for your domain.
If the CAA records specifies specific CAs, then only these CAs can issue SSL certificates for your domain.
You may specify which CAs can issue wildcard certificates and which can issue single domain certificates or both.

Note that errors can occur even when no CAA records have been created due to query time-outs or badly configured DNS.

The rules are straight-forward:

  • No CAA record - any CA can issue
  • CAA record present with CA listed as "Issue" - this CA can issue any certificates
  • CAA record present with CA listed as "Issuewild" - this CA can issue wildcard certificates only
  • CAA record present with CA not listed - this CA can not issue

CAs will check the full FQDN first and continue to the base domain, only stopping if a CAA record is found
For example: if a certificate is ordered for www.fake.subdomain.example.com then the CA will check in this order:

  • www.fake.subdomain.example.com
  • fake.subdomain.example.com
  • subdomain.example.com
  • example.com