SSL Certificate Tutorial & Guide

As you surf the web looking for the best web host, latest soufflé recipe, or funniest cat GIF, you’ll notice something interesting in your browser’s address bar…

In popular browsers like Google Chrome or Mozilla Firefox, you should see a padlock icon which appears in the top address bar next to the URL of the page you are viewing.

The “padlock” indicates that a site is secure. NOTE: Google recently changed the lock color from green to black with the release of Chrome 69 in September 2018.

This symbol is an indication that the current website is secured with Secure Sockets Layer protection, better known as SSL.

Seeing the padlock icon provides assurance that all communication between your device and the website will be fully encrypted, which is especially vital when transmitting passwords, credit card numbers, or other private information.

As a web designer or systems administrator, you should strive to secure all of your public-facing websites with Secure Sockets Layer protection.

Read on to learn about the history of web security certificates, how they work, and the steps needed for installing one on your own.

Secure Sockets Layer is a digital protocol that has spread broadly over the internet since its creation in 1994.

The concept was first developed at Netscape in an effort to secure data transmissions between web browsers and web servers.

The protocol was offered publicly in version 1.1 of the Netscape Navigator application. Issues discovered with the initial release of SSL forced Netscape to update the protocol and push a more secure update in late 1995.

The Internet Engineering Task Force (IETF), an independent group who works on web standards, made improvements to Netscape’s protocol and announced a new standard in January 1999.

They referred to the new protocol as Transport Layer Security, or TLS, which remains the primary standard today.

SSL is also closely related to how virtual private networks send/receive information. VPNS mostly use protocols like IPsec, L2TP or PPTP. If you want to learn more read my guide to the top Canadian VPNs.

The foundation of Secure Sockets Layer technology is the concept of a security certificate.

Every website, from international media brands to personal blogs, is responsible for generating a certificate based on the domain name in their URL.

This certificate is a very small file which contains the owner’s name and physical location. It also stores a set of two encrypted keys, one known as the public key and the other being a private key.

Security certificates are typically issued by organizations known as certificate authorities. Certain hosting providers have preexisting arrangements with certificate authorities (called “CA”); check out our reviews of the best web hosting companies to see which hosts include this.

Once the authority has validated your identity and domain name, the certificate will be issued and can then be installed on your web server.

From a user’s perspective, the encryption process begins when they navigate to a secure URL from their browser. All sites with Secure Sockets Layer protection will begin with “HTTPS” in their address.

Then the browser requests a copy of the site’s security certificate and checks that it is valid. If this is confirmed, the browser uses the certificate’s public key to start encrypting the user’s session.

From that point on, all data sent between the browser and the web server is secured. The private key is used by the server for decrypting each transmission and loading the full web request.

Accessing a website which is not encrypted with Secure Sockets Layer protection can be a major risk to your private information. ☠️💻☠️

As a web designer or systems administrator, you should strive to encrypt all of your servers prior to going live with any site or application. This will ensure your visitors and customers that their sessions are secured and that your organization is trustworthy.

When a website lacks a security certificate and uses an “HTTP” address instead of an “HTTPS” one, no padlock icon will be displayed in the browser and all data will be transmitted over a plain-text connection, which isn’t secure.

Clever hackers can intercept these messages without your knowledge and read the contents being sent back and forth. For a simple blog with generic content, this may not be a major concern.

But if you are using a website to purchase goods, store financial information, or create a personalized account, you must ensure that a secure session is always used.

If you’re worried about SSL and think it’s complicated, rest assured the hosts we recommend on this site all come a free SSL certificate, free installation, and free updates. SSL is also a great way to improve website speed.

Most Certificate Authorities charge a substantial fee for generating an initial certificate and renewing it on a regular basis.

However, a certificate authority known as Let’s Encrypt offers a security solution for individuals and small companies to setup Secure Sockets Layer technology for free. Let’s Encrypt is open and free, run by the Linux Foundation, and is used by millions of websites. So, you can rest assured that it does indeed secure your site.

As long as you have full ownership of a registered domain name, you can use Let’s Encrypt to install a valid security certificate on your website.

The Let’s Encrypt authority uses what is known as the ACME protocol (Automated Certificate Management Environment) to validate an applicant’s identity and domain name.

Your website must pass one of the ACME challenges by either updating your DNS record with a key provided by Let’s Encrypt or by uploading a .txt file to the root of your web directory.

To actually install the Let’s Encrypt certificate on your web server, a tool called Certbot is the recommended solution. Certbot works with the most popular hosting providers and platforms, including Apache and Nginx. Being open source, it can be installed on Linux-based OS’s like Ubuntu as well. 

The Certbot tool should always be run by a systems administrator with root-level access to the server hosting your website. Using Apache as an example, the following commands will download the necessary installation and setup packages for using Let’s Encrypt:

sudo apt-get update

sudo apt-get update

sudo apt-get install software-properties-common

sudo apt-get install software-properties-common

sudo add-apt-repository ppa:certbot/certbot

sudo add-apt-repository ppa:certbot/certbot

sudo apt-get update

sudo apt-get update

sudo apt-get install python-certbot-apache

sudo apt-get install python-certbot-apache

After the downloads have completed, a single command will launch the certificate generation process with Let’s Encrypt:

sudo certbot –apache

sudo certbot --apache

Your web server will now make a direct connection to the Let’s Encrypt authority. Once the ACME challenge is passed, a certificate will be issued and SSL will become enabled on your site.

Back To You

SSL certificates are one of those things that sound super secretive and “techy” when you first hear about them, but are actually quite simple once you understand how they work.

The key point is that your site must be protected with SSL if your data is to be kept private and secure.

Follow the steps outlined in this guide – or sign up for one of the hosts we recommend on Hosting Canada – and your website will properly protected.