Manage Subscriptions · Subscribe Now · F.A.Q.'s
HOME · Saturday, May 17, 2008
Hosting, Infrastructure & Software
Securing an SSL Certificate
Tutorial
Overview
How do you know that I am who I say I am? Likewise, how do I know you are who you say you are?
And, if we can’t catapult past this initial, basic level of trust – how will we ever be able to conduct business together?
In the Web world, it’s done with an SSL certificate. SSL stands for ‘Secure Sockets Layer,’ which protects information transferred conventionally over the Web using encryption enabled by the certificate.
According to tech-encyclopedia.com, an SSL digital certificate is “an electronic file that uniquely identifies individuals and servers. Digital certificates allow the client (Web browser) to authenticate the server prior to establishing an SSL session.”
In more palatable language, the SSL certificate ensures that each party in an electronic transaction is identified accurately. It is the standard by which electronic transactions can be made with confidence.
For example, some folks look for the picture of the padlock in the bottom-right corner of a browser window. Others look for the ‘s’ in https:// as part of the URL protocol. Either is indicative of an SSL certificate being established on a Web site – and in particular, the part of a Web site where you would enter sensitive information.
Nobody expects an SSL certificate to be installed on your ‘About Us’ page. However, anywhere a customer would enter a credit card number had better be under the protective umbrella of SSL, else savvy Web users will look elsewhere to conduct business.
So, how does SSL work exactly?
First, it helps to know up-front that Web servers execute SSL transactions with a couple of keys: a public key and a private key. This is part of a larger concept known as the Public Key Infrastructure, which is comprised of everything involved with providing public-key encryption.
When a Web surfer visits a secure Web page, the server sends the browser its public key, along with a certificate. The browser checks out the credentials of the certificate to make sure it’s from a trusted party, such as VeriSign (or any of the vendors listed below).
If everything is copasetic, the browser uses the public key to generate another key, known as an encryption key. The server uses its private key to decrypt it, and then deliver secure information to the authenticated requestor. Under an SSL arrangement, only the authenticated browser can receive the information sent by the server and only the trusted server can handle secure information from the browser.
Nobody and nothing can intercept the information.
So, how do you get an SSL certificate for your ecommerce Web site?
Luckily for us, the third-party vendors who supply us with this level of security also walk us through the process.
According to the folks at ourshop.com (http://www.ourshop.com/resources/ssl-recommendation.html), the primary certificate providers include:
- VeriSign
- Thawte
- InstantSSL
- Entrust
- Baltimore
- GeoTrust
A visit to any of their Web sites will include how-tos; yet, these visits will also inundate you with options. For example, at thawte.com, one has the option of sgc supercerts, ssl web server certificates, ssl123 certificates, code signing certificates, etc.
For most ecommerce business situations, all you’ll need is the option that provides you with a secure SSL certificate with full authentication, capable of between 40-bit (minimum) and 128-bit encryption. In Thawte’s case, it would be the SSL Web Server Certificate. Each vendor will have an option parallel to this one.
The folks at Thawte have even outlined a detailed step-by-step SSL certificate enrollment checklist, which outlines the process regardless of your chosen vendor. Some of these steps are performed by the vendor – the rest by you or your hosting company.
Instruction
First, your hosting provider will need to generate what’s called a key and a Certificate Signing Request (CSR). This will be provided to your SSL vendor. At the time this is given to whoever you choose as your SSL provider, you’ll be required to pony up for the certificate. Price for SSL Certificates varies from vendor to vendor.
VeriSign charges $349 for a one-year certificate, $598 for a two-year certificate and $795 for a three-year certificate. Thawte, on the other hand, charges $199 for a one-year certificate and $349 for a two-year certificate. One possible reason for the price difference is that VeriSign offers a $100,000 warranty to back up its product.
The trickiest part of this entire process comes next.
You have to identify yourself.
Doesn’t sound so tricky; however, these SSL providers maintain a level of security unmatched by any governmental entity – or so it seems. You’ll provide the vendor with written authorization, technical and billing contact information as well as proof of organization existence and domain ownership. Proof could include something as official as a notarized letter.
Once you have been authenticated by your SSL provider, they will issue a certificate to you. It looks like a paragraph of complete gibberish. Your hosting provider will install it on the server. That work alone takes only minutes. Once installed, you’ll need to update your HTML links pointing to newly secured pages. Instead of pointing to http://www.yoursite.com/shopping -- for example -- your HTML will need to point to https:// …
Again, the ‘s’ signifies a page protected by an SSL certificate.
For the vast majority of ecommerce proprietors, this process will be ultra easy because they will have partnered with hosting providers who have plenty of SSL-installation experience. While the process of proving you are who you say you are to the SSL vendor might give you a bit of a headache, knowing that your customers can have confidence in your site security is enough to cure it – and then some.
Blinklist | Del.icio.us | Furl | Ma.gnolia | Newsvine | Spurl | Reddit | Technorati
Published on Saturday, October 01, 2005
Comments:
It was most helpful. But now I have the ssl and an https:// and my certificate provider and domain host are partners. However, no one in either company can help me to redirect my site to the secure site.
It has been an overall unsatisfying situation.
Posted by: Toni
Tuesday, September 04, 2007
Ecommerce Articles
- Browse All Articles
- Browse our complete archive of ecommerce articles.
- Accounting, Management & Legal
- Ecommerce articles related to managing a small business including ecommerce accounting, business strategy and legal considerations.
- Conversion & Usability
- Online business articles about converting web site visitors into customers and how to gauge and improve your business website's usability.
- Development & Programming
- Articles to help designers, developers and programmers create successful, search engine friendly ecommerce websites and improve existing ones.
- Hosting, Infrastructure & Software
- Articles for ecommerce businesses about ecommerce web hosting, business infrastructure, business strategy and helpful ecommerce & small business software.
- Interviews & Profiles
- Interviews with prominent ecommerce business personalities and profiles of successful online businesses.
- Inventory & Shipping
- Ecommerce articles about inventory management, ecommerce order fulfillment and product shipping considerations.
- Marketing & Revenue Growth
- Articles relating to online marketing, email marketing and using the Internet to growing your business.
- Search Engine Optimization
- Search engine optimization articles for ecommerce business owners, strategists, marketers and developers.
- Shopping Carts & Online Payments
- Articles covering ecommerce shopping cart platforms and options for choosing an online payment gateway.
- Training & Education
- Tutorials and articles providing training and education for ecommerce business owners and developers of ecommerce websites.
Search Articles
Ecommerce Community
- Ecommerce Blogs
- Read our blogs about ecommerce topics written by industry professionals.
- Community Forum
- Connect with other ecommerce professionals to trade advice and answers in our community forum.
- Podcasts
- Check out our ecommerce podcasts covering topics ranging from interviews to tutorials.
- RSS Content Feeds
- Subscribe to our RSS feeds and have fresh ecommerce content delivered to you.
Ecommerce Resources
- Free Email Newsletter
- Sign up for Ecommerce Notes, our free email newsletter for ecommerce business owners and developers.
- Ecommerce Directory
- Browse our directory of ecommerce products and services, or submit your own listing in our directory.
- Ecommerce Glossary
- Familiarize yourself with terminology or submit terms to help others with our Ecommerce Glossary.
- Events Calendar
- Find out about upcoming ecommerce events or invite other ecommerce professionals by posting your own event.
- Press Releases
- Browse ecommerce related press releases and post your own press release for distribution.
- Ecommerce Store & Back Issues
- Pick up back issues of Practical eCommerce magazine along with other merchandise from Practical Ecommerce
About Practical eCommerce
- Frequently Asked Questions
- Look at frequently asked questions regarded using our website, subscribing to our magazine and more.
- Advertising Information
- Information about advertising in Practical eCommerce magazine, on our website, or in our email newsletters.
- Editorial Sharing
- Learn about options for sharing our content with your visitors, customers or employees.
- About Us
- Learn more about Practical Ecommerce magazine and meet our staff.
- Contact Us
- Contact Practical Ecommerce at any time for more information. We'd love to hear from you.
Copyright 2007 Confluence Distribution, Inc. and Practical eCommerce.
All Rights Reserved.
Thanks, this was very informative.
Posted by: Wendi
Wednesday, January 17, 2007