A bit about SSL certificates: Which one to choose and how to get

    On July 20, Google announced that Chrome would no longer trust SSL certificates issued by WoSign Certificate Authority (CA) and its subsidiary StartCom. As the company explained, the decision was connected with a number of incidents that did not meet the high standards of CA, in particular, the issuance of certificates without authorization from the IT giant.

    Earlier this year, it also became known that organizations responsible for issuing certificates would need to begin to take into account special DNS records. These records will allow domain owners to define the “circle of persons” who will be allowed to issue SSL / TLS certificates for their domain.

    All of these decisions are to some extent related to the increase.the number of hacker attacks and phishing sites. Encrypted connections to websites via HTTPS are becoming more widespread on the Internet. Certificates not only allow you to encrypt data sent between the browser and the web server, but also verify the organization to which the site belongs. In today's article, we will look at what types of certificates are and touch upon the issues of obtaining them. / The Flickr / montillon.a / CC



    All SSL certificates use the same data protection methods. For authentication, asymmetric encryption algorithms are used (public-private key pair), and for confidentiality, symmetric (secret key). However, they differ by the verification method: any certificate must be verified by a certification authority in order to make sure that it belongs to a correct and authorized site. There are several types of certificates.

    The first type of certificate is Domain Validated. They are suitable for non-profit sites, as they only confirm the web server serving the site, to which the transition was made. DV certificate does not containidentifying information in the organization name field. Typically, the value is “Persona Not Validated” or “Unknown”.

    To verify the person who requested the certificate, the certification center sends an email to the email address associated with the domain name (for example, admin@yourdomainname.com). This is to make sure that the person who requested the certificate is indeed the owner of the domain name. Google does not need to prove to the public that www.google.com belongs to it, so it can very well use simple certificates with domain verification (however, the IT giant still uses OV certificates, which are discussed later).

    Other verification options include adding a TXT record in DNS or placing a special file on the server that can be read by CA. This type of certificate is the cheapest and most popular, but is not considered completely safe, since it contains information only about the registered domain name. Therefore, they are often used for protection on internal networks or on small websites.

    The second type of certificate is called Organization Validated, or organization validated certificates. They are more reliable than DV, since they additionally confirm the registration data of the company-owner of the online resource. The company provides all the necessary information when purchasing a certificate, and then the CA then directly contacts the representatives of the organization to confirm it.

    The third type isExtended Validation , or certificate with advanced verification, which is considered the most reliable. First appeared in 2007 and is needed by websites that conduct financial transactions with a high level of confidentiality. In this case, the entire address bar of the browser will be highlighted in green (which is why they are called “with a green bar”). Plus, the company name will be indicated in the green area.

    You can read about how different browsers inform users about the availability of a certificate here .

    Note that if a user is redirected to a third-party site confirmed by a certificate with advanced verification to make payments and process transactions, then in this case the usual OV certificates will suffice.

    EV certificatesuseful if you need to “rigidly” associate a domain with a physical organization. For example, Bank of America and domain bankofamerica.com. In this case, the certificate with the organization verification ensures that the resource really belongs to the bank, where the user can physically deposit his money - this is at least convenient for users.

    Moreover, EV certificates protect against attacks using phishing sites, as was the case withwith Mountain America Credit Union. Attackers managed to get a legal SSL certificate for a copy of the credit institution’s site. The fact is that the bank used the domain name macu.com, and the attackers used the name mountain-america.net and when they applied, they posted an innocently looking site. After receiving the certificate, the site was replaced with a phishing resource. EV-certificates seriously complicate the implementation of such a “trick” - at least the address of the culprit becomes immediately known.

    When issuing certificates such as OV or EV, the certification center must make sure that the company receiving the certificate really exists, is officially registered, has an office, and all of the specified contacts are working. An organization’s assessment begins by checking its official state registration. In Russia, this is done using the register of legal entities presented on the website of the Federal Tax Service.

    After receiving the application for a certificate, CA sends a letterhead with questions about the organization, which must be completed and signed. The head of the company and the chief accountant put their signatures and seals. After that, the scanned documents are sent back to the certification center, where they are checked by the identifiers of the USRLE and TIN.

    If the provided data fully satisfy the employees of the certification center, then a certificate is issued. If you need to legalize documents, you will have to send scanned images of the requested documents by e-mail to the certification center.

    It is preliminary to clarify whether the translation of these documents and notarization of the translation are required, as well as whether the notary certification is required by the apostille . Instead of apostille to confirm the authority of a notary public, you can inform the certification center of the corresponding link on the website of the Federal Notary Chamber. Translation, notarial services, and apostille will require some additional expenses and organizational efforts, therefore, before confirming the need for these actions, the certification center should not be engaged in them.

    CAs can also issue EV certificates to government agencies, but the latter must meet a number of requirements. Firstly, the existence of the organization must be confirmed by the administrative-territorial entity in which it operates. Secondly, the organization should not be in a country where the activities of the CA issuing the certificate are prohibited. Also, the state structure itself should not be represented in any of the lists of banned organizations.

    At the same time, we note that there are also international agencies that can check the official documents of the company and act as a certifier of its legal existence. The most famous of these agencies is Dun & Bradstreet . After checking the organization, D&B issues a digital identifier - DUNS (Digital Universal Numbering System) - which can be referenced to confirm the organization’s legality.

    Issuing an SSL certificate such as OV or EV will require some expenses from the organization wishing to obtain it. However, the result of all the efforts will be to increase the reputation and level of customer confidence in the organization on the Internet.

    Certificate chains


    In general, to encrypt data sent between the web server and the user's browser, a single certificate is enough. However, if you look at the google.ru resource certification path, you can see that there are three of them.


    When visiting many sites, for example, banks or railway ticket offices, users want to be sure not only that the connection is secure, but also that the site that opens is the right one. To certify this fact, one certificate is not enough. It is necessary that a third party (certification authority) confirms that a certificate issued specifically for this site is used to protect the connection.

    If someone “B” has verified “A” and you trust “B,” then the problem is resolved.


    If you do not know “B”, then he can report that “C” knows him.


    The length of the identity chain is unlimited. The main thing is that it is the one whom the user trusts. Moreover, historically and technologically, a number of certification centers have received the most recognition in the IT field. Therefore, an agreed decision was made to call their cryptographic certificates root and always trust such signatures.

    The list of root certification authorities and their public keys is stored on the user's computer. If the chain of consecutively signed certificates completes the root certificate, all certificates included in this chain are considered confirmed.

    Other types of certificates


    In conclusion, I would like to say that in addition to the indicated gradation of certificates - DV, OV, EV - there are other types of certificates. For example, certificates may differ in the number of domains for which they are issued. Single Domain Certificates (Single Certificate) are tied to a single domain specified at the time of purchase. Multi-domain certificates (such as Subject Alternative Name, Unified Communications Certificate, Multi Domain Certificate) will be valid for a larger number of domain names and servers, but for each name included in the list in excess of the designated number, you will have to pay separately. Subdomains

    still existcertificates (such as WildCard), which cover all subdomains of the domain name specified during registration. Sometimes certificates may be required, which will simultaneously include several subdomains in addition to domains. In such cases, it is worth acquiring certificates such as Comodo PositiveSSL Multi-Domain Wildcard and Comodo Multi-Domain Wildcard SSL . Note that in this case, you can also purchase the usual multi-domain certificate, in which you simply specify the necessary subdomains.

    You can get an SSL certificate yourself: a key pair for this is obtained through any generator, for example, free OpenSSL. Such secure communication channels can be easily used for internal company needs: for exchange between network devices or applications. However, for use on an external website, you must buy an official certificate. In this case, browsers will not show messages about an unsafe connection, but will be calm about the data being transferred.

    PS A few materials on the topic from our blog:


    Also popular now: