An SSL / TLS X.509 certificate is a digital file that can be used for Secure Sockets Layer (SSL) or Transport Layer Security (TLS). The certificate fulfills two functions. First, it is used to authenticate and verify the identity of a host or website. Second, it enables the encryption of information exchanged through a website.

SSL / TLS certificates are one of the most common types of X.509 certificates or a form of public key certificate that corresponds to the X.509 standard. X.509 certificates contain a public key and information about the identity of a host, organization or person.

Some of these certificates are self-signed. When a certificate is signed by a certification authority (CA) or verified by another entity, its owner can use the public key to establish secure connections to another party or to validate documents that have been digitally signed with the corresponding private key.

SSL / TLS X.509 certificate

SSL / TLS X.509 certificate
SSL / TLS X.509 certificate

SSL / TLS certificates are X.509 certificates with Extended Key Usage (extended key usage) server authentication (1.3.6.1.5.5.5.7.3.1). The Extended Key Usage extension lists the “roles” for the entity using the certificate.

In other words, an entity may only use SSL / TLS certificates for server authentication and for no other purpose. Otherwise there is a risk that the entity will violate the guidelines of the certification authority.

There are other common types of X.509 certificates, for example those for client authentication (1.3.6.1.5.5.5.7.3.2) or for code signing (1.3.6.1.5.5.5.7.3.3). These files form the basis for encryption and authentication procedures.

Since SSL / TLS certificates enable encryption, they are a crucial part of Hyper Text Transfer Protocol Secure (HTTPS), a protocol that encrypts all communication between a website and a browser.

  • The establishment of an HTTPS connection begins when a browser requests a secure page.
  • The web server replies with its public key and certificate.
  • The browser then checks whether this digital file was issued by a trustworthy authority or CA.
  • If this is the case, the browser uses the public key of the web server to encrypt a randomly selected, symmetric session key and sends it to the server with an encrypted URL and other encrypted HTTP data.
  • If the public key is valid, the web server uses its private key to decrypt the symmetric session key, the URL and the HTTP data. Then it transmits the requested HTML document and the HTTP data, with everything now encrypted with the symmetric key.
  • This symmetric key in turn enables the browser to decrypt the HTTP data and display it to the user.
    ssl-handshake.png

If you want to be sure that a website is using HTTPS when you visit it, make sure that it says “HTTPS” in the address bar. You should also see a padlock next to the website address.

When you click this icon, your web browser should display the name of the organization that owns the SSL / TLS certificate. If your web browser recognizes an EV (Extended Validation) SSL certificate, the lock symbol is colored green.

If the certificate has expired, the web browser displays an error message or warning. Such warnings can result in a visitor leaving the website. To prevent this, companies that run websites and use HTTPS should manage their certificates and ensure that the required certificates do not expire. Are all of your certificates up to date?

Show CommentsClose Comments

Leave a comment