Practical Ecommerce

Securing an SSL Certificate

Overview

How do you know that I am who I say I am? Likewise, how do I know you are who you say you are?

And, if we can’t catapult past this initial, basic level of trust – how will we ever be able to conduct business together?

In the Web world, it’s done with an SSL certificate. SSL stands for ‘Secure Sockets Layer,’ which protects information transferred conventionally over the Web using encryption enabled by the certificate.

According to tech-encyclopedia.com, an SSL digital certificate is “an electronic file that uniquely identifies individuals and servers. Digital certificates allow the client (Web browser) to authenticate the server prior to establishing an SSL session.”

In more palatable language, the SSL certificate ensures that each party in an electronic transaction is identified accurately. It is the standard by which electronic transactions can be made with confidence.

For example, some folks look for the picture of the padlock in the bottom-right corner of a browser window. Others look for the ‘s’ in https:// as part of the URL protocol. Either is indicative of an SSL certificate being established on a Web site – and in particular, the part of a Web site where you would enter sensitive information.

Nobody expects an SSL certificate to be installed on your ‘About Us’ page. However, anywhere a customer would enter a credit card number had better be under the protective umbrella of SSL, else savvy Web users will look elsewhere to conduct business.

So, how does SSL work exactly?

First, it helps to know up-front that Web servers execute SSL transactions with a couple of keys: a public key and a private key. This is part of a larger concept known as the Public Key Infrastructure, which is comprised of everything involved with providing public-key encryption.

When a Web surfer visits a secure Web page, the server sends the browser its public key, along with a certificate. The browser checks out the credentials of the certificate to make sure it’s from a trusted party, such as VeriSign (or any of the vendors listed below).

If everything is copasetic, the browser uses the public key to generate another key, known as an encryption key. The server uses its private key to decrypt it, and then deliver secure information to the authenticated requestor. Under an SSL arrangement, only the authenticated browser can receive the information sent by the server and only the trusted server can handle secure information from the browser.

Nobody and nothing can intercept the information.

So, how do you get an SSL certificate for your ecommerce Web site?

Luckily for us, the third-party vendors who supply us with this level of security also walk us through the process.

According to the folks at ourshop.com , the primary certificate providers include:

  • VeriSign
  • Thawte
  • InstantSSL
  • Entrust
  • Baltimore
  • GeoTrust

A visit to any of their Web sites will include how-tos; yet, these visits will also inundate you with options. For example, at thawte.com, one has the option of sgc supercerts, ssl web server certificates, ssl123 certificates, code signing certificates, etc.

For most ecommerce business situations, all you’ll need is the option that provides you with a secure SSL certificate with full authentication, capable of between 40-bit (minimum) and 128-bit encryption. In Thawte’s case, it would be the SSL Web Server Certificate. Each vendor will have an option parallel to this one.

The folks at Thawte have even outlined a detailed step-by-step SSL certificate enrollment checklist, which outlines the process regardless of your chosen vendor. Some of these steps are performed by the vendor – the rest by you or your hosting company.

Instruction

First, your hosting provider will need to generate what’s called a key and a Certificate Signing Request (CSR). This will be provided to your SSL vendor. At the time this is given to whoever you choose as your SSL provider, you’ll be required to pony up for the certificate. Price for SSL Certificates varies from vendor to vendor.

VeriSign charges $349 for a one-year certificate, $598 for a two-year certificate and $795 for a three-year certificate. Thawte, on the other hand, charges $199 for a one-year certificate and $349 for a two-year certificate. One possible reason for the price difference is that VeriSign offers a $100,000 warranty to back up its product.

The trickiest part of this entire process comes next.

You have to identify yourself.

Doesn’t sound so tricky; however, these SSL providers maintain a level of security unmatched by any governmental entity – or so it seems. You’ll provide the vendor with written authorization, technical and billing contact information as well as proof of organization existence and domain ownership. Proof could include something as official as a notarized letter.

Once you have been authenticated by your SSL provider, they will issue a certificate to you. It looks like a paragraph of complete gibberish. Your hosting provider will install it on the server. That work alone takes only minutes. Once installed, you’ll need to update your HTML links pointing to newly secured pages. Instead of pointing to http://www.yoursite.com/shopping — for example — your HTML will need to point to https://

Again, the ‘s’ signifies a page protected by an SSL certificate.

For the vast majority of ecommerce proprietors, this process will be ultra easy because they will have partnered with hosting providers who have plenty of SSL-installation experience. While the process of proving you are who you say you are to the SSL vendor might give you a bit of a headache, knowing that your customers can have confidence in your site security is enough to cure it – and then some.

Practical Ecommerce

Practical Ecommerce

Bio   •   RSS Feed


email-news-env

Sign up for our email newsletter

  1. Legacy User January 17, 2007 Reply

    Thanks, this was very informative.

    — *Wendi*

  2. Legacy User September 4, 2007 Reply

    It was most helpful. But now I have the ssl and an https:// and my certificate provider and domain host are partners. However, no one in either company can help me to redirect my site to the secure site.

    It has been an overall unsatisfying situation.

    — *Toni*