FAQ: SSL Basics

Questions:

What is Secure Sockets Layer (SSL)?
What encryption strength do I need for my Web site?
What is Server-Gated Cryptography (SGC)?
Is 128-bit SSL encryption really stronger than 40-bit SSL encryption?
Do VeriSign SSL Certificates work with all browsers?
Why is it important for VeriSign to verify my business identity during enrolment?
What will I need to provide in order for VeriSign to verify my business identity?
What type of documentation does VeriSign require for Extended Validation SSL Certificates?
How long does verification take?
What is Extended Validation (EV) SSL?
What is a High-Security Browser?
What is a Certification Authority (CA)?
What is a Certificate Signing Request (CSR)?
Can I secure multiple servers with a single certificate?
Can I try an SSL Certificate before purchasing?
How do I obtain a VeriSign Certificate Centre Sign In?
What is a VeriSign Certificate Centre Enterprise Account?
What is a unit?
What is the VeriSign Secured Partner Program?

Answers:

What is Secure Sockets Layer (SSL)?
The Secure Sockets Layer protects data transferred over http using encryption enabled by a server's SSL Certificate. An SSL Certificate contains a public key and a private key. A public key is used to encrypt information and a private key is used to decipher it. When a browser points to a secured domain, an SSL handshake authenticates the server and the client and establishes an encryption method and a unique session key. They can begin a secure session that protects message privacy and message integrity.

Back to Top

What encryption strength do I need for my Web site?
Best security practices are to install a unique certificate on each server and choose a True 128-bit Certificate by purchasing a Server Gated Cryptography (SGC)-enabled SSL Certificate. A unique certificate keeps your private keys protected, and an SGC-enabled certificate ensures that every site visitor, no matter what browser or operating system they use, connects at the highest level of encryption their system is capable of. You need 128-bit or better encryption if you process payments, share confidential data, or collect personally identifiable information such as social security or tax ID number, mailing address, or date of birth. You need 128-bit or better encryption if your customers are concerned about the privacy of the data they send to you.

Back to Top

What is Server Gated Cryptography (SGC)?
Prior to January 2000, U.S. government restrictions on U.S. vendors prevented the export of "strong" cryptography. As a result, many people purchased computers with operating systems and/or used export version browsers that supported only 40- or 56-bit SSL encryption. "Server Gated Cryptography" ("SGC") was developed to enable those restricted computers and export version browsers to "step up" to 128-bit SSL encryption. Without an SGC certificate on the Web server, Web browsers and operating systems that do not support 128-bit strong encryption will receive only 40- or 56-bit encryption. Users with the following browser versions and operating systems will temporarily step-up to 128-bit SSL encryption if they visit a Web site with an SGC-enabled SSL Certificate

  • Internet Explorer export browser versions from 3.02 but before version 5.5 * Netscape export browser versions after 4.02 and up through 4.72
  • Windows 2000 systems shipped prior to March 2001 that have not downloaded Microsoft's High Encryption Pack or Service Pack 2 and that use Internet Explorer (Internet Explorer browser versions prior to 3.02 and Netscape browser versions prior to 4.02 are not capable of 128-bit encryption with any SSL Certificate.)

Back to Top

Is 128-bit SSL encryption really stronger than 40-bit SSL encryption?
Absolutely. When an SSL handshake occurs between a client and server, a level of encryption is determined by the browser, the client computer operating system and, in certain situations, the SSL Certificate. Low-level encryption, 40- or 56-bits, is acceptable for sites with low-value information. However, a hacker with the time, tools, and motivation can crack the code in a matter of minutes. High-level encryption, at 128-bits, can calculate 288 times as many combinations as 40-bit encryption. That's over a trillion times a trillion times stronger. That same hacker with the same tools would require a trillion years to break into a session protected by an SGC-enabled certificate.

Back to Top

Do VeriSign SSL Certificates work with all browsers?
VeriSign® SSL Certificates work with virtually every Web browser that ever shipped and all popular Web browsers used since 1996. VeriSign SSL Certificates offer the highest browser compatibility achieved by any SSL Certificate.

Back to Top

Why is it important for VeriSign to verify my business identity during enrolment?
To protect against fraud and phishing sites, Web visitors look for evidence of encryption and third-party authentication of the Web site's business identity. When you request an SSL Certificate or a Managed PKI for SSL account or pre-approve your organisation from within your VeriSign Certificate Centre Enterprise Account, VeriSign verifies the existence of your business, the ownership of your domain name, and your employment status. We may require official government documentation proving your right to do business. We use the verified information to display in the address bar of high security browsers protected by Extended Validation SSL and in our VeriSign Secured Seal pop-up window.

Our authentication and verification procedures are based on years of practice authenticating commercial businesses. VeriSign is a leading Certificate Authority, securing more than one million Web servers.

Back to Top

What will I need to provide in order for VeriSign to verify my business identity?
VeriSign must verify the existence of your business, the ownership of your domain name and your employment status or authority to request the SSL Certificate. We may require official government documentation proving your right to do business. These may include:

  • Articles of Incorporation
  • Certificate of Formation
  • Charter Documents
  • Business License
  • Doing Business As
  • Registration of Trade Name
  • Partnership Papers
  • Fictitious Name Statement
  • Vendor/Reseller/Merchant License
  • Merchant certificate

If we cannot automatically authenticate your company's management responsibility for the domain name that is associated with the SSL Certificate, we will require an authorisation letter from that domain's owner. This step prevents applicants from fraudulently or accidentally obtaining SSL Certificates for inappropriate domains.

Back to Top

What type of documentation does VeriSign require for Extended Validation SSL Certificates?
If we cannot automatically authenticate your company's management responsibility for the domain name that is associated with the SSL Certificate, we will require an authorisation letter from that domain's owner. This step prevents applicants from fraudulently or accidentally obtaining SSL Certificates for inappropriate domains.

In addition to the requirements described above, a legal opinion letter may be required to confirm that the requestor has the authority to obtain SSL Certificate(s) on behalf of the company. The legal opinion letter also may be used to confirm the organisation registration, organisation address, telephone number, domain ownership, and the organisation's business status. The physical address may, alternatively, be confirmed by a physical site visit. Once confirmed, the requestor may be able to purchase additional SSL Certificates based on the original letter. If a legal opinion letter cannot be obtained, our Certification Practice Statement outlines alternate authentication and verification processes.

Back to Top

How long does verification take?
Authentication for new certificates could take as little as one hour or up to several days, depending on the verification information you provide and whether or not your certificates are pre-approved. VeriSign can authenticate your organisational and contact information and store the information's pre-approved status for future certificate requests when you purchase units using a VeriSign Certificate Centre Enterprise Account. When you submit a certificate request that contains the authenticated information, VeriSign needs only to verify the domain. If your organisation is the legal holder of the domain, you can expect to receive your certificate within one hour of your request. Processing times for Extended Validation SSL Certificates may take longer due to additional verification requirements mandated by the Extended Validation (EV) SSL Guidelines.

Back to Top

What is Extended Validation (EV) SSL?
In 2006, the CA Browser Forum, a group of leading SSL Certificate Authorities (CAs) and browser vendors, approved standard practices for certificate validation and visibility called the Extended Validation (EV) SSL Guidelines. To issue an SSL Certificate that complies with the standard, a CA must adopt the extended certificate validation practices and pass an audit. When shoppers visit a Web site secured with an EV SSL Certificate, high-security browsers will trigger the address bar to turn green and display the name of the organisation listed in the certificate as well as the Certificate Authority. The browser and the Certificate Authority control the display, making it difficult for phishers and counterfeiters to hijack your brand and your customers.

Back to Top

What is a high-security browser?
Web browsers that emerged after the development of the Extended Validation (EV) standard established by the CA/Browser forum and that were developed to recognise EV SSL Certificates are considered high-security browsers. They are designed to trigger unique visual cues to indicate the presence of an EV SSL Certificate. For instance, Internet Explorer 7 shows a green address bar and displays the name of the organisation listed in the certificate as well as the certificate's security vendor. These displays make it easier for Web site visitors to quickly establish trust with the Web sites they visit. Microsoft® Internet Explorer 7 and Firefox 3 are examples of high-security browsers.

Back to Top

What is a Certification Authority (CA)?
When VeriSign issues an SSL Certificate, we act as a Certificate Authority (CA). VeriSign digitally signs each certificate we issue. Each browser contains a list of CAs to be trusted. When the SSL handshake occurs, the browser verifies that the server certificate was issued by a trusted CA. If the CA is not trusted, a warning will appear. When high-security browsers recognise an Extended Validation SSL Certificate, they sometimes display the name of the CA as well as the name of the Certificate owner. Because VeriSign is the most trusted and recognised CA on the Internet (see VeriSign Secured Seal Research Review (PDF)), the presence of the VeriSign name can lend an additional level of trust for site visitors. The VeriSign Trial Root CA is for testing purposes only and is not registered in any browser's trust list.

Back to Top

What is a Certificate Signing Request (CSR)?
The CSR is a string of text generated by your server software. You provide this string of text to VeriSign during the enrolment process. To generate a CSR, you will need to know what kind of server software is running on your Web server.

Back to Top

Can I secure multiple servers with a single certificate?
The VeriSign certificate subscriber agreement prohibits customers from using a certificate on more than one physical server or device at a time, unless the customer has purchased the Licensed Certificate Option. When private keys are moved among servers--by disk or by network--accountability and control decrease, and auditing becomes more complex. By sharing certificates on multiple servers, enterprises increase the risk of exposure and complicate tracing access to a private key in the event of a compromise. VeriSign's licensing policy allows licenced certificates to be shared in the following configurations: redundant server backups, server load balancing, and SSL accelerators. See Licensing VeriSign Certificates: Securing Multiple Web Server and Domain Configurations (PDF) for more information.

Back to Top

Can I try an SSL Certificate before purchasing?
You can test SSL in a pre-production server environment with a trial SSL Certificate free for 14 days. SGC-enabled and Extended Validation SSL Certificates are not available in a trial version. Learn more about our Free SSL Trial.

Back to Top

How do I obtain a VeriSign Certificate Centre Sign In?
When you buy or renew an SSL Certificate, an account is automatically created for you. VeriSign® Certificate Centre is a personalised, self-service console with complete and secure access to all certificate management functions for single or multiple certificates from a centralised location, including order status, certificate details, renewal and revocation, backups and stored contact and payment information.

Back to Top

What is a VeriSign Certificate Centre Enterprise Account?
The Enterprise Account has the same functionality as the regular VeriSign Certificate Centre with added benefits for customers who purchase 4 or more certificates per year. With an Enterprise Account, you can purchase 4 or more units at a volume discount to be applied to certificates for issuance when you need them. Once you have enrolled, you can pre-approve organisational and contact information for streamlined processing of certificate requests. VeriSign® Certificate Centre Enterprise Account also provides robust reporting and audit capabilities for managing your full portfolio of certificates. Replacement certificates are free within Enterprise Accounts. Learn more about VeriSign Certificate Centre Enterprise Account.

Back to Top

What is a unit?
A unit equals 1 certificate licence per year for any given product. The price of the unit depends on the type of SSL Certificate selected. You can combine units for multi-year validity periods and for multiple server licences. The SSL Certificate validity period begins on the day of certificate issuance, not the day of unit purchase. Units are valid for and must be redeemed within 12 months of purchase.

Back to Top

What is the VeriSign Secured Partner Program?
Leading Web sites and software vendors are partnering with VeriSign to display a VeriSign trust mark next to sites secured by VeriSign SSL Certificates. The VeriSign Secured Partner Program will lead to increased confidence and can be expected to enhance your site's appeal to its visitors. Any VeriSign SSL customer can elect not to participate in this program. By default your seal preferences are set to give your site the best exposure to the online shoppers who seek out your products and services. If you would like to edit your preferences follow these steps:

  1. Login to manage your SSL Certificates.
  2. Search for your SSL Certificate.
  3. Choose "Set Display Preferences". Here you can uncheck "Include my domain in the VeriSign Secured Partner Program".

Back to Top

Need More Info?
Call +65 6622 1638 Request information online.
Certificate Centre
Certificate Centre Sign In
Quote

VeriSign is the leader, the best known name in transaction security and Web site authenticity. I don't know why everyone doesn't use VeriSign. Case study.


Fabrizio Ferrari,
President,
Virtual Sheet Music