What is an SSL Certificate?

If you’re in the process of building nearly any kind of product, you’re going to have to buy an SSL certificate for your website or your API. Even if you’re not taking credit cards or financial information, making sure that your user’s interactions with your application remain private as they cross the internet is a requirement.

HTTP vs. HTTPS

Ever noticed that when you go to your bank or credit card’s website, the url starts with httpS instead of http? The “S” on the end of the http means that all of your communication with that site is encrypted, meaning no one else can read what you’re sending. This all happens via a protocol called Secure Sockets Layer (SSL), and SSL forms the basis of the secure internet.

So What’s an SSL Certificate?

We’re all familiar with the concept of a passport. The idea behind a passport is simple: An authority with jurisdiction (in this case a government) has done the hard work to verify that you are who you say you are so that when you show up in another country that country can trust that you are who you say you are.

SSL certificates serve the same purpose for your website or application (more or less). They tell the rest of the world that your application can be trusted, and that your application is who it says it is. They also provide the mechanism for encrypting the traffic between your end users and your application, but that’s for another day.

In the case of an SSL certificate, the organization with jurisdiction is called a Certificate Authority (CA). These are companies who’ve applied for and been granted the right to essentially create trust on the internet. Pretty cool job, eh?

How Do You Request a Certificate?

When you get your site or application up and running, you go to your web server and create a Certificate Signing Request (or CSR). A CSR is the digital version of you getting all of your information together to apply for your passport. You have to provide your name, the company name, the domain that you’re requesting your certificate for, and some contact information.

Your web server takes all of that information and creates a digital request that is unreadable by humans.

How Does Your Certificate Get Issued?

You take that CSR and you go to one of the many sites that provides certificates. Ideally you request them from wherever you host your domains, but it’s not required. I personally use Namecheap for all of my domains and certificates. They’re one of the best and there’s no fluff to their product offerings. Regardless of who you buy it from, the process will be the same (more or less):

  • Upload your CSR to the site where you’re buying the certificate
  • They’ll verify the contact information that you included in the CSR through some means (typically email verification process)
  • They’ll issue you a certificate
  • You’ll take that certificate and install it on your web or application server

Through the process the CA will have verified that you own the domain for which you’re requesting a certificate, and verified that you have control of the server or servers for which you’re requesting the certificate.

You verify that it’s all working by going to https://<yourdomain.com>. If you see the little green lock in Chrome or Safari, your site or application can now accept secure, encrypted data from your users.

Just Remember

SSL certificates are like passports. They let others know that your website can be trusted because there’s a certificate that’s been issued from a known, trusted authority called a Certificate Authority.

Installing certificates on your server requires that you provide verifiable information to the CA. Once they receive the request and verify your information, they issue you a certificate to install on your web server.

Your Assignment

Walk through the entire certificate request and installation process with someone from your development team. It will cost you less than $10 and about 15-20 minutes to get through the whole thing, even if you end up not needing it, and you’ll then have shared knowledge of how the process works.