Practical Guide to SSL Certificate Implementation

Print
Details
Category: Technology
Hits: 7858

What is SSL?

It a cryptographic protocol stands for Secure Socket Layer and it is a digital certificate which enables encrypted communication between browser and a web server

Does SSL and TSL are same ?

TSL(Transport Security Layer) is also a cryptographic protocol and successor of SSL but it slightly differs from the way it exchange the encrypted data between browser and website

Why is it important for a website?

It protects your website by encrypting all sensitive information (like password, credit card, customer address) while transfer between browser and a webserver

Does a website works without SSL?

Yes, it works but it will be vulnerable to hackers 

How does google search treats a website without SSL ?

Google will warn that the website is not secure also its search algorithm gives priority for the websites with SSL

Who is Certificate Authority (CA)?

They are trusted entities that manage and issue security certificates and public keys that are used for encrypted communication between browser and a website

What are all the different types of SSL ?

There are 3 types of SSL certificate

Domain validated (DV) This certificate verifies only who owns the site by sending a email to the website’s registered email address in order to verify its identity. No information about the company is required. Its lowest level of trust and it can be done in few minutes to hours by CA

Organizationally validated (OV) For this certificate, CA validate company information,  physical location, and its website’s domain name. CA takes one or two days to validate the collected info and provide the SSL certificates

Extended validation (EV) For this certificate, CA performs extended validation by getting the corporate documents, applicant identity,. This certificate is a must-have for websites that handles sensitive information. 

Can you name few popular CA who provides SSL certificate?

Comodo
GoDaddy
AWS
GlobalSign
DigiCert

What are all the types of files provided by CA when you buy SSL certificate ?

.crt, .pem, .pfx are the parts of certificate files provided by CA which contains private key & signed certificate

How to implement SSL for a website after buy the SSL certificate files?

Model 1: You can place those received certificate files in your website and refer it (Ex: Node JS)

Model 2: Apply those certificates to the Web Server/Application Server (Ex: IIS)

Model 3: Don't get those SSL certificate files physically in your website instead use it as a microservice

            (Ex: AWS Certificate Manager)

            Strongly suggest to go with "Model 3" to avoid misuse of certificate files and decouple the SSL implementation

            from website development

 

Can you show me an example of Model 3 (SSL implementation using AWS Certificate Manager)?

Going to explain you by designing the following solution. 

This solution uses following services from AWS

1) EC2 instance  => to run 2 'hello world' websites created using NodeJS & Python under port 4001 & 4002

2) Route 53  => 2.1) to purchase a domain (testdomain.com) 

                           2.2) map domain (testdomain.com) to load balancer

3) Certificate Manager => to buy a SSL certificate for our websites

4) Load balancer => 4.1) to apply SSL certificate (offload the non functional requirement at load balancer instead handle it in website)

                                  4.2) to make this as gateway for the 2 websites