Get the highest-level security for your website with our affordable web security services.
SSL Certificate Security Glossary
This SSL Glossary Is A Compilation Of The Most Common Terms That Are Used In The World Of SSL128 Bit
128 Bit key is the length of a symmetric encryption key used for the encryption and decryption of data. An SSL Certificate with a key length of 128 Bit means it will have a possibility of 2128 combinations. That becomes almost impossible to hack. To use 128-bit key length, your server must be upgraded too to support 128-bit key length.
256 Bit
256 Bit encryption key is used for the encryption and decryption of data. Clearly, it can be said that this key length is more secure than a 128-bit key because it will have a possibility of 2256 combinations for someone to be able to crack that. Industry-wise, most of the certificate authorities are offering 256-bit encryption.
2048 Bit Encryption
When speaking about the 2048-bit encryption, it is common to misunderstand it as the length of the encryption key; however, it is not an encryption key, but it is the size of the SSL certificate. The previous version of it was 1024-bit which has been denounced, and only key lengths 2048-bit and above are in use today.
Asymmetric Encryption
In an Asymmetric Encryption, the encryption and decryption of the data are done using two separate keys. However, they are connected mathematically. Those are the public key (visible to all) and the private key (only the owner has access to it). RSA and ECC algorithms are the most widely used Asymmetric Encryption.
Authenticode
This technology validates whether the software uses a digital certificate issued by a certificate authority. It also confirms the publisher of the software and that it has not been altered.
Business / Organization Validation
A business or organization validation is one of the most important processes that any CA (certificate authority) performs before issuing an OV (organization validated) or EV (Extended Validated certificate). This validation basically includes the verification of the address, phone number and legal registration status of the organization for which an SSL certificate is requested. To validate these details the CA will use any government database, independent third-party online database, etc. The SSL requestor must ensure that their organization’s details are updated accurately on such platforms because their security certificate will be issued only under the verified organization details.
Certificate
It is a file signed and issued by a certificate authority, or it can also be self-signed. The file is issued to an organization or individual and it verifies that data exchange over the web browser or a device is from an intended source. The certificate details show the information about the entity that the certificate is issued for and the certificate’s specification.
CA (Certificate Authority)
A CA (Certificate Authority) is an entity in charge of issuing the digital security certificate. Before a CA can issue the certificate, they put the domain name and individual/organization details (depending on the type of certificate) under a thorough verification process fulfilling the CA/B Forum guidelines. This process induces trust in both the digital certificate owner and the dependent party (mostly the users/visitors).
CA/B Forum (Certification Authority/Browser Forum)
A voluntary body comprised of CAs (Certificate Authorities) and Web Browsers regulates the standards of SSL certificates and constantly governs any upcoming threat, and comes up with measures to safeguard the users from the same.
Chain Certificate
An SSL certificate is not an individual element. The certificate authority strings the multiple pieces together to form a certificate. This model of multiple certificates combined is called a chain certificate. A chain certificate consists of three parts: leaf certificate (server certificate), Intermediate Certificate and Root Certificate.
CRL (Certificate Revocation List)
CRL is a list of all the revoked certificates. The Certificate Authority maintains the CRL. If the private key is compromised, the certificate can get revoked, and the browsers will no longer trust the certificate. If a certificate is revoked, it will no longer protect your website and it will be exposed to online threats.
CSR (Certificate Signing Request)
CSR stands for Certificate Signing Request, which is an encoded file consisting of the information provided by the certificate requestor, such as domain name, organization, locality, etc. It is an essential requirement to request an SSL certificate typically generated from the server where the domain name is hosted. But there are online third-party tools available as well to generate a CSR.
Digital Signature
A digital signature is an electronic signature that involves the use of a mathematical algorithm to sign. The purpose of having a digital signature is that the receiver comprehends the identity of the sender of any message or any data and knows that it is not tampered with. Digital certificates digitally signed by well-known and globally trusted CA (certificate authority) gain instant trust among the user because they can rest assured that the signature is authentic, and the data exchange is intact. These digital signatures cannot be copied by anyone else, which is one of the most significant advantages of having a digital signature.
Digital Signature Algorithm (DSA)
Digital Signature Algorithm (DSA) is a process of producing Digital Signatures based on mathematical expressions and is proposed by the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA). DSA is used in 4 tasks: In the generation of key, Distribution of key, Signing and Verification of Signature. DSA does not have the ability to encrypt or decrypt any information.
Digital Signature Standard (DSS)
Digital Signature Standard (DSS) is a signature algorithm used to authenticate the signatory and the data. It was launched by the National Institute of Standards and Technology (NIST). The DSS functions by using a public key, a private key, a hash function, a random number k, and a global public key.
E-commerce
E-commerce is an activity of buying and selling online services & products over the Internet. Such e-commerce websites require the highest level of security that is offered by an EV SSL certificate.
ECC (elliptical curve cryptography)
ECC is an encryption algorithm for SSL and is frequently called an alternative to RSA. It has gained popularity mainly because of its smaller key size. Also, in RSA, the private and public keys are both integers, but in ECC, the public key is a point on the curve, and the private key is an integer.
Encryption
The process of converting simple data into complex text is called Encryption. In the world of SSL, encryption is very necessary to deceive any person with ill intentions to read or steal your data. The data that is encrypted can be decrypted or deciphered using an appropriate key. With public-key encryption, anyone can encrypt data using the owner’s public key, but the private key remains with the owner that can decrypt the data.
FQDN (Fully Qualified Domain Name)
A fully qualified domain name is the exact domain name that gives its location on the DNS (Domain Name System). For example, mail.domain.com is an FQDN.
HSTS
HSTS (HTTP Strict Transport Security) is a web server directive that lets a site be contacted over HTTPS encryption. Only getting an SSL certificate cannot be enough sometimes because hackers may still find ways to reach your site over http://; That is why HSTS forces browsers and devices to use HTTPS if available even if a user type of http:// or www.
HTTPS
Hypertext Transfer Protocol Secure (HTTPS) is a protocol for secure communication over the internet. Usually, suppose a web server has an SSL certificate installed for a particular domain, then on entering https:// before that domain name. In that case, the web browser will indicate that the website is safe to visit and the data exchange on the domain will be secure and encrypted.
HTTPS Port / SSL Port
A port is a point where the connection between a browser and a webserver will be established. There are different types of ports, but generally, port 443 is used for SSL. Port 80 is usually used to support non-secure http traffic. That is why port 443 is used by most websites to establish a secure HTTPS connection.
Intermediate certificate
Intermediate certificates are the connecting certificates between a server certificate and a root certificate. There is at least one intermediate certificate; however, there can be more than one too.
MD5
MD5 (Message-Digest Algorithm) is a cryptographic hash function commonly used to verify whether a file has been altered or not. MD5 produces a checksum on both sets and then compares them to verify if the checksums are identical. However, MD5 has some flaws and is not recommended to be used with advanced encryption applications.
Microsoft Exchange Server
Microsoft Exchange Server is a mail server and calendar server, it is a product of Microsoft. Its mail server provides flexibility to send emails, calendaring, and tools customization. You can use the web application, Outlook, or your phone, it is that simple. Exchange servers have been helping around for more than 20 years and it keeps evolving over the years. Many businesses take advantage of Office 365 to streamline their mailing experience.
MITM
MiTM (Man-In-The-Middle) attack means when an impersonator places himself in between a user and an application to eavesdrop with an intention to steal information such as login credentials, credit card details, etc. The easiest way to fall prey to MiMT is using WiFi connections that are not password-protected, using unsecure websites, using public networks at cafes, hotels, etc. to conduct sensitive transactions. Avoiding any such unsecured connections will help you not to fall prey to MiMT.
Mixed Content
Mixed Content means that a page is serving both secure and insecure elements. This totally negates the idea of SSL because even though you have installed the SSL certificate on your server, the browser will throw an insecure warning because of the mixed content warning.
Multi-Domain Certificate
A multi-domain SSL certificate can be used when a user has more than one website to secure. For example, a multi-domain SSL certificate can secure both domain.com and domain.co.uk; Normally, the primary domain in a multi-domain SSL certificate is taken from the common name in the CSR (certificate signing request) and the additional domain that a user needs to secure is also known as SAN (Subject Alternative Name) which is generally asked to input during the generation of the SSL certificate order.
PEM
PEM (Privacy Enhanced Mail) file format is the most used file format for certificate requests, certificates, and keys. It can be easily viewed with any text editor such as notepad. Extensions that they normally have are .crt, .cer, .pem, .key
PFX
PFX stands for Personal Exchange Format, and it consists of the public key (SSL certificate) and its corresponding private key. It is in the format PKCS#12. Generally, the CAs (certificate authorities) issue the SSL certificate in PEM format because they do not have access to the private key. Therefore, the certificate requestor can use the PEM file (received from the CA) and the private key that they have and can create a PFX file; There are online tools available for this purpose.
PKCS
PKCS (Public Key Cryptography Standard) is a set of standards from PKCS#1 to PKCS#15. PKCS is based on an asymmetric cryptographic algorithm because it uses a public and private key. It was developed by RSA laboratories and backed by security developers around the world.
PKI
PKI (Public key infrastructure) is a crucial part of the encryption process as well as they help in the authentication of the devices that are communicating. PKI combines various elements that form technologies such as software, hardware and procedures needed to create, manage, store, distribute, and revoke digital certificates.
Private Key
In the world of SSL, a private key holds very high importance in terms of security. A private key is generated with the CSR (certificate signing request) and must be preserved as it will be needed to install the SSL certificate. It should not be shared with anyone and if the private key is compromised, the SSL certificate can be revoked by the CA (certificate authority).
Public Key
In asymmetric encryption, a public key is accessible to anyone. Any data that has been encrypted with the public will only be decrypted by the corresponding private key.
Reissue
‘Reissue’ is a term used when a user requests another security certificate despite an active certificate. The new certificate will not be a copy of the existing certificate but will have a different certificate serial number. There might be several reasons that a user might need to reissue a certificate; Most common is losing the private key and changing the server.
Root Certificate
The SSL certificates are made up of multiple certificates that the issuing CA (certificate authority) joins together, this is known as the Chain of Trust. In this ‘chain of trust’, the root certificate is at the base of the chain.
RSA (Rivest-Shamir-Adleman)
RSA encryption algorithm is an asymmetric encryption algorithm, and it uses a key pair that is linked mathematically to encrypt and decrypt data. That means if a public key encrypts the data, then the private key can encrypt it and vice versa. To ensure maximum security, the minimum key length recommended by NIST (National Institute of Science and Technology) is 2048-bits.
SHA-1
SHA-1 (Signature Hash Algorithm 1) is a Cryptographic Hash Function that has a message digest of 160 bites. SHA-1 was declared insecure in the year 2005 and major companies like Google, Mozilla, and Microsoft have stopped accepting SHA-1 SSL certificates.
SHA-2
SHA-2 (Signature Hash Algorithm 2) is a family of the hashing algorithm. SHA-2 has replaced SHA-1 as it was declared insecure by NSA & NIST. SHA-2 has a drawback: few older devices or OS might not support the SHA-2 hashing algorithm. SHA-2 has six variants, SHA-224, SHA-256, SHA-284, SHA-512, SHA-512/224 and SHA-512/256. In each of these variants, the number represents the bit values.
Shared SSL & Wildcard SSL
Many web hosting companies share a single certificate among multiple clients. A wildcard SSL certificate will fulfil such a requirement and it becomes easier for the web host to manage multiple client sites using a single certificate. A wildcard can secure multiple sub-domains; for example, a wildcard certificate for *.hosting.com will secure all its first-level sub-domains like client1.hosting.com, client2.hosting.com, client3.hosting.com, etc. A shared or wildcard SSL certificate is not only limited to web hosts; any client or company can make use of this certificate if they want to secure multiple sub-domains.
SNI
For web hosting companies, it is important to make sure that the server displays the correct SSL certificate issued for the domain name. SNI (Server Name Indication) permits a server to host multiple SSL Certificates for multiple domain names under a single IP address, which is most known as shared IP. In the process of SSL handshake, SNI will add the domain name of the server as an extension in the ‘Client Hello’ message and by this, the server will know which domain name to present while using shared IP. Therefore, the server will display the correct SSL certificate against the exact domain name.
SSL (Secure Sockets Layer)
SSL stands for Secure Sockets Layer. The SSL certificate encrypts the data that is transferred between the web browser and a web server. The SSL certificate will only function if it is correctly installed on the web server where the domain name is hosted. It is recommended to use an SSL certificate that is issued by a globally trusted CA (certificate authority) because such an SSL certificate will be compatible with all the leading web browsers like Chrome, Firefox, etc.
SSL Handshake
An SSL Handshake is a process of exchanging details to establish a connection between a client and a web server. Basically, it is a process where the client verifies the SSL certificate that is installed on the server by initiating a message with their details such as TLS version, and cipher suite and the server replies with the same details of the server. The client then uses the server's public key and sends another message which is further decrypted by the server using the private key; once this cycle is completed, the SSL handshake is established successfully.
SSL Key
An SSL key is also known as a Private Key. Most commonly, the SSL Key is stored on your server that is because when you create a CSR (certificate signing request) on your server, it will also generate a corresponding SSL Key and will be stored on the same server on which the CSR was generated. Now, when the SSL certificate is installed on the server, it will match with the private key that was created with the CSR and this proves the legitimacy of the SSL certificate. The SSL Key is an essential component in the entire SSL process and hence it should never be shared with anyone. If you lose the SSL key, you might not be able to install the SSL certificate on your server.
SSL Proxy
SSL proxy performs Secure Sockets Layer encryption (SSL) and decryption between the client and the server without anyone detecting its presence. It controls the SSL traffic in order to conduct a secure exchange of data between a client and a server.
TLS
TLS (Transport Layer Security) is a security protocol. It replaced SSL in 1999; however, because SSL was very widely popular, TLS is still referred to as SSL.
UCC SSL Certificate
UCC (Unified Communications Certificate) is a multi-domain SSL certificate that allows you to secure multiple domains and sub-domains all together in a single SSL certificate. This was specifically designed for Microsoft Exchange and Office Communications servers.
Verification / Validation
Is a process where the certificate-issuing authority puts your domain name and/or organization under a vetting process to ensure the full legitimacy of the details furnished by the certificate requestor.
Vulnerabilities
Vulnerability is a flaw that can allow cybercriminals to exploit and break into your system. The cybercriminal can run malicious code, steal your sensitive data, or even install malware in your system. Complexity, connectivity, poor password management, software bugs, etc. are a few of the many causes of vulnerability. Any flaws caused due to these would allow an attacker to target and time an attack appropriately.
Vulnerabilities Assessment
Vulnerabilities Assessment is a process to carefully review the security weakness in the system. It identifies if there are any vulnerabilities in the system, then assigns the level of severity of the vulnerability and recommends the remedy. External and Internal vulnerability scans, Environmental scans, etc., are some of the tools that can help with a vulnerability assessment. A proper vulnerability assessment can reduce the risk of your system falling to cyber threats.
WHOIS
An online system to look up the information related to a domain name. The WHOIS shows information such as the organization name, registered email of the domain, address, etc.; However, some of this information may be hidden from the public depending on the domain name owner’s choice.
X.509 Certificate
X.509 Certificate is a digital certificate based on a standard globally renowned International Telecommunication Union X.509 standard in which the format of PKI certificates is defined. These certificates are almost everywhere, and we encounter them daily while using a website, device, and mobile application. X.509 certificate standard is applied in SSL and HTTPS authentication and encryption, in code signing, document signing, client authentication, etc.