SSL Certificate FAQ - SSL Basics from VeriSign, Inc.

Questions

Answers

What is Secure Sockets Layer (SSL)?

The Secure Sockets Layer protects data transferred over http using encryption enabled by a server’s SSL Certificate. An SSL Certificate contains a public key and a private key. A public key is used to encrypt information and a private key is used to decipher it. When a browser points to a secured domain, an SSL handshake authenticates the server and the client and establishes an encryption method and a unique session key. They can begin a secure session that guarantees message privacy and message integrity.

What is Public Key Infrastructure (PKI)?

Public Key Infrastructure is the network security architecture of an organization. It includes software, encryption technologies, and services the enable secure transactions on the Internet, intranets, and extranets.

What is Extended Validation (EV) SSL?

In 2006, a group of leading SSL Certificate Authorities (CAs) and browser vendors approved standard practices for certificate validation and visibility called the Extended Validation Standard (known during development as “High Assurance”). To issue an SSL Certificate that complies with the standard, a CA must adopt the extended certificate validation practice and pass an audit. When shoppers visit a Web site secured with an EV SSL Certificate, new high-security browsers will trigger the address bar to turn green and display the name of the organization listed in the certificate as well as the Certificate Authority. The browser and the Certificate Authority control the display, making it difficult for phishers and counterfeiters to hijack your brand and your customers.

What is Server-Gated Cryptography (SGC)?

U.S. government restrictions on U.S. vendors prevented the export of “strong” cryptography several years ago. As a result, many people purchased computers or downloaded export version browsers supporting only 40- or 56-bit SSL encryption. Microsoft developed "Server Gated Cryptography" ("SGC") and Netscape developed "step-up" technology to enable 128-bit SSL encryption with export browser versions.

SGC allows users with an export version browser to temporarily step-up to 128-bit SSL encryption if they visit a Web site with an SGC-enabled SSL Certificate. Without an SGC certificate on the Web server, Web browsers and PCs that do not support 128-bit strong encryption will receive only 40- or 56-bit encryption.

What is a Certification Authority (CA)?

When VeriSign issues an SSL Certificate, we act as a Certificate Authority (CA). VeriSign digitally signs each certificate we issue. Each browser contains a list of CAs to be trusted. When the SSL handshake occurs, the browser verifies that the server certificate was issued by a trusted CA. If the CA is not trusted, a warning will appear. When high-security browsers recognize an Extended Validation SSL Certificate, they display the name of the CA next to the browser bar. VeriSign is one of the most trusted CAs on the Internet. (See VeriSign Secured Seal Research Review.) The VeriSign Trial Root CA is for testing purposes only and is not included in any browser’s trust list.

What is a Certificate Signing Request (CSR)?

The CSR is a string of text generated by your server software. You provide this string of text to VeriSign during the enrollment process. To generate a CSR, you will need to know what kind of server software is running on your Web server.

Can I secure multiple servers with a single certificate?

The VeriSign subscriber agreement prohibits customers from using a certificate on more than one physical server or device at a time, unless the customer has purchased the Licensed Certificate Option. When private keys are moved among servers—by disk or by network—accountability and control decrease, and auditing becomes more complex. By sharing certificates on multiple servers, enterprises increase the risk of exposure and complicate tracing access to a private key in the event of a compromise. VeriSign’s licensing policy allows licensed certificates to be shared in the following configurations: redundant server backups, server load balancing, and SSL accelerators. See Licensing VeriSign Certificates: Securing Multiple Web Server and Domain Configurations for more information.

How do I download the VeriSign Secured Seal for my Web site?

The VeriSign Secured Seal is available for display on any Web page within a domain secured by a VeriSign SSL Certificate. Whether you are a new or existing customer, you can download and install the VeriSign Secured Seal on your server. A JavaScript verifies your common name and displays the seal. When site visitors click on the seal, they receive a dynamically generated verification page specific to your certificate. The Secured Seal may take up to 2 hours to display the first time you install it for any given common name.

Can I try an SSL Certificate before purchasing?

You can test SSL in a pre-production server environment with a trial SSL Certificate free for 14 days. SGC-enabled and Extended Validation SSL Certificates are not available in a trial version. Learn more about our Free SSL Trial.

What is the VeriSign Certificate Center?

VeriSign Certificate Center is a personalized, self-service console that makes purchasing and managing SSL Certificates fast and easy. This complimentary service gives you the ability to administer single or multiple certificates from a centralized location with complete and secure access to all certificate management functions, including order status, certificate details, renewal and revocation, and stored contact and payment information.

What is the VeriSign Secured Partner Program?

Leading Web sites and software vendors are partnering with VeriSign to display a VeriSign trust mark next to sites secured by VeriSign SSL Certificates. The VeriSign Secured Partner Program will lead to increased confidence and can be expected to enhance your site's appeal to its visitors. Any VeriSign SSL customer can elect not to participate in this program. By default your seal preferences are set to give your site the best exposure to the online shoppers who seek out your products and services. If you would like to edit your preferences follow these steps:

1. Login to manage your SSL Certificates.
2. Search for your SSL Certificate.
3. Choose “Set Display Preferences”. Here you can uncheck “Include my domain in the VeriSign Secured Partner Program”.