Website Certification, How does it work?

Running a website without an SSL/TLS certificate leaves it vulnerable to severe security threats, exposing all data to potential interception. Discover how crucial certificates are for encrypting communications and ensuring the utmost security with HTTPS over HTTP—read on to safeguard your online presence!

Yesterday, I was discussing with a Software Engineer, a friend of mine. He told me that his Client’s website certificate just got expired and he needs to renew it. He explained to me the process of renewing the certificate.

1. Creates a new RSA Key pair
2. Export the Key pair.
3. Import the Key Pair in a Certificate Authority (e.g. DigiCerts, CloudFare, Let’s Encrypt etc.).
4. Gets the Certificate file from the CA.
5. Updates the Certificate file in the Java Key Store (Since it is a Java Web Server).
6. And We’re done.

The process looks a bit tedious, is it worth it? Can’t a website run without a certificate? What is contained in a Certificate? How does the Certificate guarantee website security? Let’s answer these questions.

Can a website run without a certificate?

Yes, A website can be accessed without an SSL/TLS certificate(Web Certificate). However, there are many security challenges(such as Man in the Middle Attack) as the data being transferred would not be encrypted. This means that your packet of data being transferred can be read by anyone who gets access to the data.

As a website owner, you would not like your website to display this to your users.

What is contained in a certificate?

There are 6 major items contained in a web certificate

1. Subject: Details about the website’s organization. The name, country, locality etc.
2. Issuer: Information about the CA that issued the certificate
3. Certificate ID: It’s a unique identifier to manage and track the certificate, it’s also issued by the CA.
4. Validity: This is the date when the certificate expires, it’s also determined by the CA. For example, Let’s Encrypt gives 90 days of validity. The maximum expiry date for a certificate is 13 months.
5. Public Key: An integral part that guarantees security, it’s used to encrypt data before sending, we’ll talk more on this later.
6. Signature: This is to verify that the certificate has not been tampered with. It’s the signature of the CA, which guarantees that the certificate is truly for the CAs stated in 2.

How does the Certificate guarantee website security?

An Integral part of website security is Asymmetric Encryption. When you’re trying to access a website through the browser. Your browser(client) sends a TCP connection request to a web server and the server responds with the certificate which contains the public key as mentioned (or sometimes requires a connection upgrade). If the certificate is valid, the browser generates a session key(which is also asymmetric), encrypts it and sends it to the web server. This session key is then used to encrypt and decrypt the transfer of data between both the client and the server.

So next time, You see an https:// or http:// you should know that the https:// sends encrypted data while the http doesn’t making the https more secure.