FAQ. SSL Certificates
What is Secure Sockets Layer (SSL)?
The Secure Sockets Layer protects data transferred over http using encryption enabled by a servers SSL Certificate. An SSL Certificate contains a public key and a private key. A public key is used to encrypt information and a private key is used to decipher it. When a browser points to a secured domain, an SSL handshake authenticates the server and the client and establishes an encryption method and a unique session key. They can begin a secure session that guarantees message privacy and message integrity.
What is Public Key Infrastructure (PKI)?
Public Key Infrastructure is the network security architecture of an organization. It includes software, encryption technologies, and services the enable secure transactions on the Internet, intranets, and extranets.
What is Extended Validation (EV) SSL?
In 2006, a group of leading SSL Certificate Authorities (CAs) and browser vendors approved standard practices for certificate validation and visibility called the Extended Validation Standard (known during development as High Assurance). To issue an SSL Certificate that complies with the standard, a CA must adopt the extended certificate validation practice and pass an audit. When shoppers visit a Web site secured with an EV SSL Certificate, new high-security browsers will trigger the address bar to turn green and display the name of the organization listed in the certificate as well as the Certificate Authority. The browser and the Certificate Authority control the display, making it difficult for phishers and counterfeiters to hijack your brand and your customers.
What is Server-Gated Cryptography (SGC)?
U.S. government restrictions on U.S. vendors prevented the export of strong cryptography several years ago. As a result, many people purchased computers or downloaded export version browsers supporting only 40- or 56-bit SSL encryption. Microsoft developed "Server Gated Cryptography" ("SGC") and Netscape developed "step-up" technology to enable 128-bit SSL encryption with export browser versions.
SGC allows users with an export version browser to temporarily step-up to 128-bit SSL encryption if they visit a Web site with an SGC-enabled SSL Certificate. Without an SGC certificate on the Web server, Web browsers and PCs that do not support 128-bit strong encryption will receive only 40- or 56-bit encryption.
What is a Certification Authority (CA)?
When VeriSign issues an SSL Certificate, we act as a Certificate Authority (CA). VeriSign digitally signs each certificate we issue. Each browser contains a list of CAs to be trusted. When the SSL handshake occurs, the browser verifies that the server certificate was issued by a trusted CA. If the CA is not trusted, a warning will appear. When high-security browsers recognize an Extended Validation SSL Certificate, they display the name of the CA next to the browser bar. VeriSign is one of the most trusted CAs on the Internet. (See VeriSign Secured Seal Research Review.) The VeriSign Trial Root CA is for testing purposes only and is not included in any browsers trust list.
What is a Certificate Signing Request (CSR)?
The CSR is a string of text generated by your server software. You provide this string of text to VeriSign during the enrollment process. To generate a CSR, you will need to know what kind of server software is running on your Web server.
Can I secure multiple servers with a single certificate?
The VeriSign subscriber agreement prohibits customers from using a certificate on more than one physical server or device at a time, unless the customer has purchased the Licensed Certificate Option. When private keys are moved among serversby disk or by networkaccountability and control decrease, and auditing becomes more complex. By sharing certificates on multiple servers, enterprises increase the risk of exposure and complicate tracing access to a private key in the event of a compromise. VeriSigns licensing policy allows licensed certificates to be shared in the following configurations: redundant server backups, server load balancing, and SSL accelerators. See Licensing VeriSign Certificates: Securing Multiple Web Server and Domain Configurations for more information.
How do I download the VeriSign Secured Seal for my Web site?
The VeriSign Secured Seal is available for display on any Web page within a domain secured by a VeriSign SSL Certificate. Whether you are a new or existing customer, you can download and install the VeriSign Secured Seal on your server. A JavaScript verifies your common name and displays the seal. When site visitors click on the seal, they receive a dynamically generated verification page specific to your certificate. The Secured Seal may take up to 2 hours to display the first time you install it for any given common name.
Can I try an SSL Certificate before purchasing?
You can test SSL in a pre-production server environment with a trial SSL Certificate free for 14 days. SGC-enabled and Extended Validation SSL Certificates are not available in a trial version. Learn more about our Free SSL Trial.
What is the VeriSign Certificate Center?
VeriSign Certificate Center is a personalized, self-service console that makes purchasing and managing SSL Certificates fast and easy. This complimentary service gives you the ability to administer single or multiple certificates from a centralized location with complete and secure access to all certificate management functions, including order status, certificate details, renewal and revocation, and stored contact and payment information.
What is the VeriSign Secured Partner Program?
Leading Web sites and software vendors are partnering with VeriSign to display a VeriSign trust mark next to sites secured by VeriSign SSL Certificates. The VeriSign Secured Partner Program will lead to increased confidence and can be expected to enhance your site's appeal to its visitors. Any VeriSign SSL customer can elect not to participate in this program. By default your seal preferences are set to give your site the best exposure to the online shoppers who seek out your products and services. If you would like to edit your preferences follow these steps:
- Login to manage your SSL Certificates.
- Search for your SSL Certificate.
- Choose Set Display Preferences. Here you can uncheck Include my domain in the VeriSign Secured Partner Program.
Is 128-bit SSL encryption really stronger than 40-bit SSL encryption?
Absolutely. When an SSL handshake occurs between a client and server, a level of encryption is determined by the browser, the client computer operating system, and the SSL Certificate. Low-level encryption, 40 or 56 bits, is acceptable for sites with low-value information. However, a hacker with the time, tools, and motivation can crack the code in a matter of minutes.
High-level encryption, at 128 bits, can calculate 288 times as many combinations as 40-bit encryption. Thats over a trillion times a trillion times stronger. That same hacker with the same tools would require a trillion years to break into a session protected by an SGC-enabled certificate.
What level of encryption do I need for my Web site?
Best security practices are to install a unique certificate on each server and choose true-128-bit or better encryption by purchasing an SGC-enabled SSL Certificate. A unique certificate keeps your private keys protected, and an SGC-enabled certificate ensures that every site visitor, no matter what browser or operating system they use, connects at the highest level of encryption their system is capable of. The level of protection needed should be based on the value of your information and the perception of your customers. You need 128-bit or better encryption if you process payments, share confidential data, or collect personally identifiable information such as social security or tax ID number, mailing address, or date of birth. You need 128-bit or better encryption if your customers are concerned about the privacy of the data they send to you.
A lot of companies advertise 128-bit certificates, but they dont have SGC. What is the difference between VeriSigns SSL Certificates and those of other providers?
Non-SGC SSL Certificates provide a minimum of 40-bit and up to 256-bit SSL encryption. Site visitors using certain older browsers and many Windows 2000 systems using Internet Explorer will only receive 40- or 56-bit encryption unless theyre connecting to an SGC-enabled SSL Certificate. VeriSign is the leading SSL provider of SGC-enabled SSL Certificates, enabling 128- or 256-bit encryption for over 99.9% of Internet users. (SGC: Strongest SSL Encryption.)
What do I need to know about Windows 2000 and 128-bit encryption?
Many Windows 2000 systems using Internet Explorer will fail to step up to 128 bits unless they connect to an SGC-enabled certificate, even if theyre using the most current version of Internet Explorer. VeriSign is the leading SSL provider of SGC-enabled SSL Certificates, enabling 128- or 256-bit encryption for over 99.9% of Internet users. (SGC: Strongest SSL Encryption.)
Do VeriSigns SSL Certificates work with all browsers?
VeriSign's SSL Certificates work with virtually every Web browser that ever shipped and all popular Web browsers used since 1996. VeriSign SSL Certificates offer the highest browser compatibility achieved by any SSL Certificate. However, many browsers will not be able to connect at 128-bit encryption unless there is an SGC-enabled certificate on the server. Many millions of Internet users worldwide still use these browsers. (SGC: Strongest SSL Encryption.) Certain Internet Explorer browser versions from 3.02 to 5.23 and Netscape browser versions from 4.02 to 4.72 will fail to use 128-bit encryption unless connecting to SGC-enabled certificates. Internet Explorer versions prior to 3.02 and Netscape versions prior to 4.02 are not capable of 128-bit encryption with any SSL Certificate.
Which VeriSign SSL Certificates are capable of 128-bit encryption?
All VeriSign SSL Certificates are capable of 128-bit SSL encryption as long as users have the right browser and operating system.
Millions of Internet users worldwide use browsers that will not connect at 128-bit encryption unless there is an SGC-enabled certificate on the server. Other SSL providers claim to offer 128-bit certificates, but they do not offer 128-bit SSL encryption to the most possible site visitors. VeriSign (including its subsidiaries, affiliates, and resellers) is the leading SSL provider to offer SGC-enabled SSL Certificates, which provide 128- or 256-bit encryption to over 99.9% of Web site visitors. (SGC: Strongest SSL Encryption.)
Which VeriSign SSL Certificates are capable of 256-bit encryption?
All VeriSign SSL Certificates offer 256-bit encryption if the browser and server software both support SSL encryption at this level. Some browsers (such as Mozilla Firefox) and servers are capable of 256-bit SSL encryption. When 256-bit-capable browsers and servers connect to each other, all VeriSign SSL Certificates enable a 256-bit session. A number of leaders in the e-commerce space use VeriSign SSL Certificates to enable 256-bit SSL sessions today.
Which VeriSign SSL Certificates trigger the green address bar in high-security browsers?
To trigger the green address bar, an SSL Certificate must meet the Extended Validation Standard. VeriSign offers several EV SSL Certificates:
Secure Site with EV: True 128-bit SSL with Extended Validation
Secure Site Pro with EV: True 128-bit SSL with Extended Validation
Managed PKI for SSL Premium EV: True 128-bit SSL with Extended Validation
Managed PKI for SSL Standard EV: Standard encryption with Extended Validation
Which VeriSign services are available to companies located outside the U.S.?
VeriSign SSL Certificates are available for purchase worldwide. If your business or servers are located outside the United States, you can purchase our certificates from a VeriSign affiliate in your country, purchase Secure Site or Secure Site Pro SSL Certificates online directly from VeriSign, or contact our sales department for Managed PKI for SSL services.
Can I share SSL Certificates on multiple servers with the same domain name?
The VeriSign subscriber agreement prohibits customers from using a certificate on more than one physical server or device at a time, unless the customer has purchased the Licensed Certificate Option. VeriSigns licensing policy allows licensed certificates to be shared in the following configurations: redundant server backups, server load balancing, and SSL accelerators. See Licensing VeriSign Certificates: Securing Multiple Web Server and Domain Configurations for more information. |
SSL сертификаты VeriSign GeoTrust Thawte Comodo GlobalSign TrustWave 