Technology‎ > ‎

CA SSL is Security

Understanding Digital Certificates & Secure Sockets Layer (SSL)

Digital Certificates & Secure Sockets Layer (SSL)

Secure Sockets Layer (SSL) digital certificates are electronic files that are used to identify people and resources over networks such as the Internet. Digital certificates also enable secure, confidential communication between two parties using encryption.

Certificates are issued by a Certification Authority (CA). Much like the role of a passport office, the CA validates the certificate holder's identity and "signs" the certificate so that it cannot be tampered with or altered.

What is SSL?

SSL technology is a security protocol that is today's de-facto standard for securing communications and transactions across the Internet. SSL has been implemented in all major browsers and Web servers, and plays a major role in today's online commerce, retail shopping, banking and more.

The SSL protocol uses digital certificates to create a secure, confidential communications "pipe" between two entities. Data transmitted over an SSL connection cannot be tampered with or forged without the two parties becoming immediately aware of the tampering.

What are SSL Certificates?

An SSL Web server certificate authenticates the identity of a website to browser users and enables encrypted communications using SSL. When a browser user wants to send confidential information to a Web server, the browser will access the server's digital certificate and obtain its public key to encrypt the data.

Since the Web server is the only party with access to its private key, only the server can decrypt the information. This is how the information remains confidential and tamper-proof while in transit across the Internet.

The Green Standard

Build confidence. Increase Trust. Extended Validation is the new Web standard.

Provide customers the highest level of assurance for Web security possible. CA Extended Validation (EV) Multi-Domain SSL Certificates take advantage of the added visual cues in the newest browsers, such as turning the address bar green in Microsoft® Internet Explorer® (7.0 or newer), Mozilla Firefox (3.0 and newer), Apple Safari, Opera and Google Chrome.

Why EV?

EV SSL certificates have the highest impact on consumers, reassuring them that the site they are visiting is legitimate through visual cues in un-modifiable parts of the browser interface "chrome." For example, today's up-to-date Web browsers display the corporate name with a green background for sites protected by an EV SSL certificate.

These prominent UI changes are now widely accepted and expected by consumers, providing organizations with a proven tool to demonstrate to customers that they take security and privacy seriously.

Migrating to EV is Easy

Already an CA SSL customer? It's easy to upgrade to CA EV Multi-Domain SSL certificates today - and with minimal changes to your existing procedures. Customers using large numbers of EV SSL certificates should consider enrolling in the CA Certificate Management Service to benefit from streamlined validation and the flexibility of the subscription-based approach to certificates.

Validating Your SSL Investment

OV vs DV

The importance of organization validation (OV).

SSL certificate providers employ different methods for verifying the identities of the organization or individual purchasing SSL certificates. Unfortunately, not all validation processes meet the same standards. And it's important to understand the difference.

Certificates verified using organization validation (OV) or extended validation (EV) practices contain the verified name of the entity that controls the website. Certification authorities (CA) issuing these certificates check with third parties to establish the official name of the organization and where they are located.

Importantly, the CA takes further steps to contact the requesting organization to confirm that they did, indeed, request the certificate and that the requester is authorized to receive the certificate on behalf of the organization. When visiting a website using an OV or an EV certificate, the end-user can use the certificate to verify that they are sending their transaction data to the intended recipient.

The DV dilemma?

In contrast, domain-validated certificates are typically verified and issued through automated processes. Human intervention is minimized and organization checks are eliminated — a tactic that supports issuing certificates in a quick, cheap manner.

And as you might guess, a DV certificate contains no identifying information in the organization name field. Typically, this value just re-states the domain name or simply says "Persona Not Validated." In other words, although the certificate supports transaction encryption, the end-user cannot trust the certificate to confirm who is on the other end. So the transaction is encrypted for whom?

At CA, 100 percent of CA SSL certificates provide organization identity. All of CA SSL certificates are intended to provide security, accountability and trust.

Safe Use of Wildcard Certificates

Wildcard Certificates

Wildcard certificates offer great flexibility to system administrators to minimize management by offering an unconstrained number of sub-domains within one certificate (e.g., * could represent,,, etc.).


Wildcard certificates also pose substantial risks. Wildcards certificates can be used with the appearance of legitimacy with either a fictitious or a fraudulent sub-domain name. In addition, a single wildcard certificate and its corresponding private key could be used on multiple servers. In fact, it is the ease of management that makes it a more common, though ill-advised practice.

Ultimately, a wildcard certificate bypasses controls for those subscribers who rely on the certificate approval procedure to control the authorization of new servers and new domains.


Wildcard certificates are subject to the following attack:
Impersonation Attack: luring a victim to a fraudulent resource in the certified domain through phishing.

Properly managed wildcard SSL certificates can provide increased flexibility for system administrators, but they come with increased risk. CA recommends using proper safeguards when deploying Wildcard certificates.

Elliptic Curve Cryptography

The Future of Cryptography

CA provides today's innovative organizations the opportunity to deploy hybrid elliptic curve cryptography (ECC) digital certificates or test their applications and services with the advanced ECC standard.

To help promote the deployment and use of ECC-based certificates, CA provides complimentary ECC demo certificates and identities. For organizations ready to improve the performance and strength of their digital certificates, CA offers ECC Hybrid SSL Certificates signed by CA's publicly trusted RSA 2048-bit root.

CA Hybrid SSL Certificates

CA enables organizations to leverage advanced ECC standards to improve the strength and performance of digital certificates today. An option on all CA SSL certificates, CA Hybrid SSL Certificates are ideal for scenarios where server-load performance is critical, and site visitors and the Web/app server are known to be compatible with ECC keys.

Hybrid certificates benefit from the performance of an ECC key combined with the global trust of CA's pre-existing RSA 2048-bit root.

While widespread use of elliptic curve cryptography (ECC) digital certificates is still on the horizon, CA offers a proven method for enjoying many of the benefits of ECC certificates today. CA Hybrid SSL Certificates contain ECC keys signed via CA's globally trusted RSA 2048-bit root.

What is ECC? In short, ECC is a family of public-key algorithms that can provide shorter key lengths and, depending upon the operating platform and the applications for which they are used, may provide improved performance over systems based on integer factorization and discrete logarithms. ECC certificates are compatible with the full suite of CA Authority solutions.

Review the table below to understand the relationship and use of traditional SSL certificates, ECC hybrid SSL certificates and true full-path ECC SSL certificates.

Advanced Cryptography

CA SSL Certificates, Powered by SHA-2 Security

Developed by the National Institute of Standards and Technology (NIST), SHA-2 represents the most current set of cryptographic hash functions. At a micro level, SHA-2 is based on a set of four hash functions — 224, 256, 384 or 512 bits — which strengthens the original SHA-1 hash function released in 1995 by the NIST.

To provide more compatibility, CA Certificate Services customers have the choice to sign any CA digital certificate with SHA-1 or SHA-2. And best of all, the option to use this advanced level of cryptography, based on the SHA256 implementation, is offered to CA customers at no extra cost.

In fact, the SHA-2 standard may be used with any of CA's digital certificates, including EV Multi-Domain SSL Certificates, Advantage SSL Certificates, Standard SSL Certificates, UC Multi-Domain SSL Certificates and Wildcard SSL Certificates. SHA-2 is even available with CA's signing and user digital certificates, including Adobe CDS, Secure Email and Code Signing.

Though most organizations won't experience any compatibility difficulties, some older systems — such as those running Microsoft Windows XP SP2 (or older) or outdated Web browsers — are unable to support SHA-2 encryption. In these situations, administrators will need to either use SHA-1 certificates or upgrade these systems to SHA-2-supported configurations.

What is SHA?

SHA, or Secure Hash Algorithm, is one of the foundation algorithms used in public key cryptography. First published in 1993, SHA encryption is organized in a series that continue to evolve but not necessarily built upon its predecessor. To date, the hash algorithms were released as SHA-0 (1993), SHA-1 (1995) and SHA-2 (2001). The next version, SHA-3, is under development and yet to be released.

What's Next for SHA?

While organizations are currently standardizing on SHA-2, cryptographers have been building the foundation of SHA-3 since 2008. Though a SHA-3 release date has not been announced, theNIST is sponsoring an open competition to develop the next hash algorithm.

Only five SHA-3 hash entries advanced to the third and final round. Scheduled for early 2012, a final candidate conference will take place to discuss community feedback and findings. The next SHA-3 cryptographic hash algorithm is expected to be announced in late 2012.