EmailBookmarkPrint

FAQ: SSL Basics

Questions:

What is Secure Sockets Layer (SSL)?
What is encryption and how does it protect my business and my customers?
What is authentication and why is it important to SSL?
How can I optimise my Web site for trust and security?
What is the VeriSign Trust Seal?
Do all SSL Certificates provide the same security and trust for our business?
Why do different SSL Certificates contain different information?
How do consumers view the authentication information?
Do VeriSign SSL Certificates work with all browsers?
What information does VeriSign require to verify my business identity?
What does VeriSign do to verify my right to use a domain name?
How long does verification take?
What is EV SSL?
What documentation is required for an Extended Validation authentication?
What is a Certificate Signing Request or CSR?
Can I secure multiple servers with a single certificate?
Can I try an SSL Certificate before purchasing?
How do I manage my SSL Certificates?
What is a VeriSign Certificate Centre Enterprise Account?

Answers:

What is Secure Sockets Layer (SSL)?
The Secure Sockets Layer (SSL) is a security protocol used by Web browsers and Web servers to help users protect their data during transfer. An SSL Certificate contains a public and private key pair as well as verified identification information. When a browser (or client) points to a secured domain, the server shares the public key with the client to establish an encryption method and a unique session key. The client confirms that it recognises and trusts the issuer of the SSL Certificate. This process is known as the "SSL handshake" and it can begin a secure session that protects message privacy and message integrity. Read our Beginners Guide to Digital SSL Certificates to learn more.

Back to Top

What is encryption and how does it protect my business and my customers?
Encryption is a mathematical process of coding and decoding information. Encryption ensures that information is scrambled in transit so that only the intended recipient can decode it. The number of bits (40-bit, 56-bit, 128-bit, 256-bit) tells you the size of the key. Like a longer password, a larger key has more possible combinations. In fact, 128-bit encryption is one trillion times stronger than 40-bit encryption. At current computing speeds, a hacker with the time, tools and motivation to attack would require a trillion years to break into a session with 128-bit encryption. SSL Certificates with server-gated cryptography (SGC) enable 128- or 256-bit encryption for over 99.9% of Internet users. True 128-bit SSL Certificates

Back to Top

What is authentication and why is it important to SSL?
Authentication is 3rd-party verification of a Web site's identity to establish trust. Before Web visitors share username and password, payment information or other personal data, they need to know that they can trust the Web site requesting it. A company logo or brand name is not enough. These can be faked. To protect against fraud and phishing sites, Web visitors look for proof that your business entity and Web site are legitimate. This can be provided by a VeriSign® SSL Certificate. Similar to the way a government agency verifies a birth date before issuing an identification card, an SSL provider (Certificate Authority) verifies an organisation's right to use a domain name and other required identification information. SSL Certificates are uniquely issued to a specific domain and Web server.

Back to Top

How can I optimise my Web site for trust and security?
VeriSign SSL Certificates with additional trust features offer more than encryption and authentication for your online business. We help drive traffic to your site and reduce abandoned transactions. Our premium SSL Certificate, the VeriSign Trust™ Seal, VeriSign Seal-in-Search technology, and daily Web site malware scanning work together to help assure your customers that your site is safe from search to browse to buy.

Back to Top

What is the VeriSign Trust Seal?
The VeriSign Trust Seal is a dynamic, animated graphic that displays on Web pages secured by VeriSign SSL Certificates and Web sites authenticated by VeriSign. When users click the VeriSign seal, it opens a VeriSign-generated verification page containing information about your VeriSign SSL Certificate, your organisation and the status of your malware scan. The VeriSign seal, the most recognised trust mark on the Internet, is viewed up to 250 million times a day on more than 90,000 Web sites in 160 countries and in search results on enabled browsers as well as partner shopping sites and product review pages. FAQ: VeriSign Seal

Back to Top

Do all SSL Certificates provide the same security and trust for our business?
VeriSign SSL Certificates provide more security and trust at no additional cost. Our premium SSL Certificate, the VeriSign Trust Seal, VeriSign Seal-in-Search technology, and daily Web site malware scanning work together to help assure your customers that your site is safe from search to browse to buy. Seal-in-Search displays the VeriSign Trust Seal next to your link on browsers enabled with a free plug-in as well as on partner shopping sites and product review pages. The seal differentiates your link in search and shows that malicious code has not been detected in a daily malware scan. Learn more: The VeriSign Seal

Back to Top

Why do different SSL Certificates contain different information?
Certificate Authorities use different authentication methods and levels to verify information provided by organisations. The most basic SSL Certificate only verifies domain name control, a low-level of authentication that may be used by fraudsters to make their sites appear trusted. VeriSign, the leading Certificate Authority, secures more than one million Web servers worldwide and is well known and trusted because of our rigorous authentication methods and highly reliable infrastructure. VeriSign® SSL Certificates are issued with either full business authentication or Extended Validation (EV) authentication. The VeriSign Trust Seal verification page also includes the status of your daily malware scan.

Back to Top

How do consumers view the authentication information?
When a browser connects to a server, the server sends the identification information to the browser. To view a Web site's credentials, do one of the following:

  • Click the closed padlock in a browser window
  • Click the trust mark (such as the VeriSign Trust™ Seal)
  • Look in the green address bar*

*Only SSL Certificates with EV trigger high-security Web browsers to display your organisation's name in a green address bar and show the name of the Certificate Authority that issued it. Learn more about SSL Security and Extended Validation

Back to Top

Do VeriSign SSL Certificates work with all browsers?
Most Web site users do not know which Certificate Authorities to trust so they rely on their Web browsers to help them. An SSL Certificate issued by a Certificate Authority that a Web browser does not recognise or trust will generate a security alert. As the leading Certificate Authority, VeriSign® SSL Certificates work with virtually all popular Web browsers used since 1996.

Back to Top

What information does VeriSign require to verify my business identity?
When you request an SSL Certificate, VeriSign verifies the existence of your business, the ownership of your domain name, and your employment status or authority to request the SSL Certificate. We may require official documentation proving your right to do business. These may include:

  • Articles of Incorporation
  • Certificate of Formation
  • Charter Documents
  • Business Licence
  • Doing Business As
  • Registration of Trade Name
  • Partnership Papers
  • Fictitious Name Statement
  • Vendor/Reseller/Retailer Licence
  • Retailer certificate

Our authentication and verification procedures are based on more than 15 years of practice authenticating commercial businesses. These procedures are audited annually by KPMG using Statement of Auditing Standard 70 Type II, established by the American Institute of Certified Public Accountants.


Back to Top

What does VeriSign do to verify my right to use a domain name?
VeriSign first tries to authenticate your company's management responsibility through publicly available domain name registration information. If we cannot automatically authenticate your domain name control, we require an authorisation letter from that domain's owner. This step prevents applicants from fraudulently or accidentally obtaining SSL Certificates for domains that do not belong to them.

Back to Top

How long does verification take?
Authentication for new certificates could take as little as one hour or up to several days, depending on the verification information you provide and whether or not your certificates are pre-approved.

  • If your organisation is the legal holder of the domain, you can expect to receive your certificate within one hour of your request.
  • VeriSign® Trust Centre Enterprise Account stores pre-approved domain, organisational and contact information. When you submit a certificate request that contains the authenticated information, VeriSign instantly issue your certificate. See SSL for the Enterprise.
  • Processing times for EV SSL Certificates may take longer due to additional verification requirements mandated by the Extended Validation (EV) SSL Guidelines. FAQ: Extended Validation SSL

Back to Top

What is EV SSL?
In 2006, the CA/Browser Forum, a group of leading SSL Certificate Authorities (CAs) and browser vendors, approved Extended Validation (EV) SSL Guidelines, standard practices for certificate validation. To issue an EV SSL Certificate, a CA must adopt the EV practices and pass an audit. Browsers were enhanced to make it easy for Web site visitors to recognise the higher standard of EV SSL. A site secured by an SSL Certificate with EV triggers high-security Web browsers to display the organisation's name in a green address bar and show the name of the Certificate Authority that issued it. The browser and the Certificate Authority control the display, making it difficult for phishers and counterfeiters to hijack your brand and your customers. Learn more: Extended Validation and SSL Security

Back to Top

What documentation is required for an Extended Validation authentication?
In addition to the requirements described above, a legal opinion letter may be required to confirm that the requester has the authority to obtain SSL Certificate(s) on behalf of the company. The legal opinion letter also may be used to confirm the organisation registration, organisation address, telephone number, domain ownership and the organisation’s business status. The physical address may, alternatively, be confirmed by a physical site visit. Once confirmed, the requester may be able to purchase additional SSL Certificates based on the original letter. If a legal opinion letter cannot be obtained, our Certification Practice Statement outlines alternative authentication and verification processes.

Back to Top

What is a Certificate Signing Request or CSR?
The CSR is a string of text generated by your server software. You provide this string of text to VeriSign during the enrolment process to enable VeriSign to issue an SSL Certificate unique to your Web server. You will need to know what kind of server software is running on your Web server to generate a CSR.

Back to Top

Can I secure multiple servers with a single certificate?
Sharing certificates on multiple servers increases risk of exposure. Auditing becomes more complex, reducing accountability and control. If a private key becomes compromised, it can be difficult to trace and all servers sharing that certificate are at risk. Because sharing certificates degrades security, the VeriSign certificate subscriber agreement prohibits customers from using a certificate on more than one physical server or device at a time, unless the customer has purchased additional server licences. VeriSign's licensing policy allows licensed certificates to be shared in the following configurations: redundant server backups, server load balancing, and SSL accelerators. See About SSL Certificate Licensing.

Back to Top

Can I try an SSL Certificate before purchasing?
You can test SSL in a pre-production server environment with a trial SSL Test Certificate free for 14 days. SGC-enabled and Extended Validation SSL Certificates are not available in a trial version. Learn more about our Free SSL Trial.

Back to Top

How do I manage my SSL Certificates?
When you buy or renew an SSL Certificate, an account is automatically created for you in the VeriSign Trust Centre ,a Web-based, self-service console with complete and secure access to manage all your SSL Certificates. With a single sign-in, you can renew and manage any number of VeriSign® SSL Certificates, update your payment and account settings, access a backup SSL Certificate, or manage the additional trust services that come with your VeriSign SSL Certificate.

Back to Top

What is a VeriSign Trust Centre Enterprise Account?
A VeriSign Trust Centre Enterprise Account is for customers who purchase 10 or more SSL Certificates per year. These account holders benefit from volume discounts and instant issuance for pre-approved domains and organisational and contact information. VeriSign® Trust Centre Enterprise Accounts also provide robust reporting and audit capabilities for managing your full portfolio of certificates. Learn more about VeriSign Trust Centre Enterprise Account.

Back to Top

Need More Info?
Call +800 8373 7346 Submit an enquiry online
  • VeriSign Trust Centre

  • Sign in to VeriSign Trust Centre

Quote

We ran A/B split tests to gauge the impact of the VeriSign Secured Seal's return to our site, and found that it accounted for 31% more sales. Case study.


Fabrizio Ferrari,
President,
Virtual Sheet Music

Learn more about the VeriSign Secured® Seal