How to Check SSL Certificates and Stay Secure

As of October 2020, there were 4.66 billion active internet users, and the number is only growing. The evolving technologies like 5G connectivity, mobile devices, and the ever-growing internet content are only aiding the internet’s further use for many purposes.

From simple content delivery systems, video streaming, blogging to complex workspaces and financing solutions – the internet has something to offer for almost any aspect of our daily life. 

Businesses worldwide are increasingly going through digital transformations. Data that was previously locked up in bulky files are easily accessible over the internet. But that does not mean it is any less sensitive or loses its confidentiality nature. Especially data that involves your private information and financial information must be protected with strong security practices. And that is where SSL comes in. 

SSL is the popular security protocol that allows you to secure transactions over the internet by validating SSL security certificates. 

You can easily find out whether your connection is secure by checking for the SSL certificate issued by the website you are trying to access. As a best practice, it is recommended that you only connect with and supply data to sites that have an SSL certificate. Not having an SSL certificate should automatically indicate a less trustable site, and you have to be careful when clicking on such unsecured links and sites. 

So, how to check HTTPS? There is an effortless way to check if a site uses SSL certificates. Every site that uses the SSL certificate system will have the HTTPS protocol specifier in its web address. While HTTP stands for HyperText Transfer Protocol, the S adds the security part provided by SSL. So check for these two things to know whether a site is SSL protected. 

The site name should start with HTTPS, e.g., https://www.yoursitename.com.

You can get detailed information about the site’s security by clicking on the padlock icon on your browser application’s address bar. 

Now for the in-depth explanation and a deeper understanding of SSL, how it works, and why it is essential, let’s keep reading.

SSL certificates are small snippets of data associated with a site that indicates that the site has implemented the SSL security feature. SSL stands for Secure Socket Layer, a security protocol that defines an encryption standard using the public / private key mechanism. 

The SSL certificate acts as the website’s public key and validates its identity and information to authenticate it to be a valid site. The private key is kept safe and secure, while any device or API request trying to access the site will have to reference the public key to verify the site’s identity. SSL certificates are issued by valid Certificate Authorities (CA) only. 

SSL certificate is also used with TLS protocol, an enhanced security protocol used in SSL by most modern browsers and sites. Every connection made to a TLS/SSL-enabled site is encrypted. Anyone trying to access the site without the proper credentials will be denied access and will only intercept garbled values.

Based on the domains, SSL certificates are categorized as:

• Single domain – This type of SSL certificate applies to a single domain name
• Wildcard – This type of SSL certificate is applicable for a single domain and can also be included for use in subdomains. For instance, blog.Site.com. 
• Multi-domain – These SSL certificates can be used for multiple unrelated domains. 

Each SSL certificate may also have different validation levels associated with it. Based on the validation level, SSL certificates can be classified as:

• Domain level validation: This validation applies to just the domain name, and the business has to prove that they are in charge of the domain name
• Organization validation: These are more trustworthy as the certifying agency (CA) will directly contact the business for issuing the certificate 
• Extended validation: The CA conducts a more thorough process and background check for this certificate level before issuing the certificate. 

Based on the SSL certification level, you can deduce the site’s legitimacy and use it accordingly with the necessary caution. 

All modern browsers make it easy for you to quickly check if a site is secured by SSL encryption or not. The easiest way to know if a site is SSL encrypted or not is to check its URL. The URL of the site should start with HTTPS. 

For more details about the site’s security credentials, you can click on the padlock icon near the address bar and get more information on the site’s SSL certificate details. 

So, where to find SSL certificates on the server? To view detailed SSL information on popular browsers like Chrome and Firefox, you can follow the below steps: 

• Click on the padlock icon in the browser’s address bar. For example, this is how it looks for keyfactor.com

• Click on the certificate pop-up and check the certificate details such as expiry date and the valid duration.

• You will get to see more information in case of extended validation certificates, such as the organization’s identification details. You will only get to see the certifying authority’s details at the bottom section of the pop-up for other types of certificates.
• To get more detailed information about the SSL certificate, you can click the ‘More Information.’ On clicking, you will be redirected to the site that gives you more accurate information on the certificate. 

If you own a site and want to check your SSL certificate, the easiest way is to check your dashboard for any approved certificate issued by a CA. If you have multiple SSL certificates installed for your site, you can locate them using any of the two following methods. 

SSL checkers or scanners, such as one provided by Keyfactor, are used to scan your entire network and locate all of your installed certificates. 

• You can also make use of the Windows Certificate Manager Tool if using the Windows Server environment. 

• To view the certificates stored on your local device, launch the Certificate Manager tool.
• To do so, open the command prompt, type in certlm.msc, and Enter.

• You can view all the certificates stored in your computer on the left pane and expand the directory to get more detailed information on a certificate. 
• For certificates accessible to the current user, launch the Certificate Manager Tool by typing in certmgr.msc in the command prompt.  

If not using a tool, you can manually search and locate installed certificates in certificate stores. Certificate stores are containers within the server environment that contain all your certificates. Based on the type of certificates stored, Certificate stores can be classified as: 

• Personal – These stores contain certificates with private keys 
• Trusted Root Certification Authorities – All third-party certificates and certificates from customer organizations will be stored here
• Intermediate certification authorities – These include the certificates issued to subordinate CAs. 

If using a Windows Server, you can access the Certificate Store using the following steps:

• Open the MMC (Microsoft Management Console) by entering MMC on Command Prompt. 
• Go to file, and then select Add/remove Snap-in.
• You will be shown a list of snap-ins. Choose Certificates from the list, then click Add.

• On the next dialog prompt window, select Computer Account and click Next.
• Select your Local Computer on the next prompt and then click Finish.

• Next, click OK, and you will be redirected back to the snap-ins page. 

To view a particular certificate in the MMC snap-in, choose it from the left pane where the certificate store is present. The available certificates from the selected certificate store will be displayed on the middle pane of the window. 

To view the certificate, double-click on it. A Certificate Window will appear and show the selected certificate’s different properties, such as the valid duration, expiry date, path, and any associated private key details. 

All SSL certificates come with a finite lifespan with a set expiry date. Upon reaching the expiry date, the SSL certificate will not be considered valid. 

Most SSL certificates have a lifespan ranging from one to three years, after which the website needs to get their certificates reissued from the certifying authority. A certificate’s validity may be fixed depending on factors like cost, company policy, validation level, etc. 

In most cases, a certificate will be replaced once it nears its expiry date. But certain conditions like the heartbleed bug, SHA-1 end-of-life migration, company mergers, changes in security policy may demand you to replace certificates. 

To check if SSL certificate is installed, you can use the Certificate Manager tool and check its validity period. Another alternative option is to use the sigcheck Windows Sysinternals utility to verify TLS version. Download the utility and run it with the switch command sigcheck -tv. It will list all the trusted Microsoft root Certificate lists. 

Before installing an SSL certificate, you need to make sure you have valid certificates issued from a CA. To do so, you will have to generate a CSR. CSR stands for Certificate Signing Request, which is how you make an application to receive an SSL certificate from a CA. 

A CSR consists of a public key and other details required to validate your identity. You will have to provide information such as the Distinguished Name (DN), Common Name (CN), and fully qualified Domain Name (FQDN) for your website that needs the certificate. 

Here are the steps to creating a self-signed certificate with both public and private key:

• Run the below command in your terminal

openssl req -out testsite.csr -new -newkey rsa:2048 -nodes -keyout testsite.key

• You might get prompted for an optional password, and you can supply a password to protect your private key. This command will create a CSR as output under the name testsite.csr and a 2048 bit private key under the name testsite.key. 

You can now submit this CSR to request signed certificate files from a valid Certifying Authority. After the necessary domain and company validation, the CA will provide you with three files, the private key, the certificate file, and the intermediate certificate file, which can be used to install SSL in your server.

While CA-signed certificates are the recommended and trusted way to implement SSL, you can also use self-signed certificates if required. But doing so will throw warning messages in the browsers as it will not be considered from a trusted source. 

Use self-signed certificates when you don’t deal with sensitive data or if your target audience is a closed group. If you are running an eCommerce site or dealing with a massive traffic volume, CA-signed certificates are the best way to go. 

• To create a self-signed SSL certificate, you can run the following command in your server environment:openssl x509 -signkey testsite.key -in testsite.csr -req -days 365 -out testsite.crt
• This command generates a certificate file named testsite.com.crt from the CSR file input. 

If you are using a Linux server environment, installing an SSL certificate will depend on the server you use. Here are the steps to install an SSL certificate for an Apache Web server. 

• Get your certificate files downloaded from the Certifying Authority along with the private key associated with the certificate. The usual file downloads include a certificate file, private key file, and a certificate chain bundle file. 
• Configure your Apache server to include certificate files properly. This can be done by including the config entries you can find in the below file paths into your Virtual Host section. 

               etc/httpd/conf/httpd.conf

               etc/apache2/apache2.conf

               httpd-ssl.conf

              Ssl.conf

• To add the entries, modify the configuration file as follows:

             <VirtualHost testcertificates.com:443>

              DocumentRoot /var/www/html2

              ServerName testcertificates.com

             SSLEngine ON

            SSLCertificateFile /etc/apache/ssl.crt/ServerCertificate.crt

             SSLCertificateKeyFile /etc/apache/key.crt/yoursite.key

            SSLCertificateChainFile /etc/apache/ssl.crt/ChainBundle2.crt

            < / VirtualHost>

• To check whether the config updates were correctly done, execute the following command: 

          sudo apachectl configtest

Restart your server after making the configuration changes and check if the SSL certificate has been installed correctly. If you find any issues, do contact your certifying authority to ensure you have the valid files. 

To test whether the SSL installation is successful, you can try visiting your site from different browsers and see if the URL has been appropriately changed to HTTPS protocol. The security information is displayed on the browser, as explained earlier. 

The steps to installing SSL certificates in a Windows Server 2016 using Microsoft IIS 7 are given below.

• Get your certificate and intermediate certificate files ready. You can receive them from the CA for your domain. The files you would require are the server certificate file, the private key, and the CA bundle file.
• Launch the IIS manager from the Start > Control Panel > Internet Information Services (IIS) manager.

• Select your server name from the Connections Menu and navigate to the Security section.
• Under the Actions menu on the right pane, click Complete Certificate Request.
• Browse and upload your certificate files as the wizard takes you towards a step-by-step process of installing the SSL certificate. Give a custom name and click OK to save the SSL certificate. It should now be available on the Server Certificate List.
• Bind the installed certificate to your website.
• To do so, go to the Connections Menu > click on Server Name > Sites and select the site you want to set the SSL certificate.
• Under the Actions menu, click Bindings and then click the Add button on the Site Bindings dialog box.
  
  Fill in the details such as:
  • Type – HTTPS
  • IP Address – All unassigned or select from the available IP addresses that correctly applies to the site
  • Port as 443 (default) or to the port your SSL traffic listens to
  • SSL certificates – the friendly name of the SSL certificate just installed.

   

• Click View to review the details and then OK to finish the binding.

As mentioned earlier, every SSL certificate comes with an expiry date, after which the browsers will start showing warning messages when the site is accessed. An expired SSL certificate is a security vulnerability you need to take care of at the right time. To avoid the security complications and possible low trust score of an expired SSL certificate, you must renew them on time. 

The process is quite similar to getting a new SSL certificate. 

• Generate a CSR (Certificate Signing Request)
• Select your SSL certificate and enter the required details like the validity period you need and other details and submit it to the CA. 
• You will get renewed certificate files which you can use on your server. 
• Renewing SSL certificates will require you to complete the same procedures you did for getting a new SSL certificate. These could be domain validation, organizational validation, and other verifications as needed for the level of certificate you are applying to the CA for.

• Launch the IIS manager and open the Server Certificates under the Connections column on the left.
• Under the Actions pane, click on Create Self-Signed Certificate. Give an easy-to-use friendly name and click OK.
• These steps help create a self-signed certificate that is valid for one year, and you can find it under the Server Certificates list. Now bind this certificate to your website as mentioned in the earlier steps.
• As the last step, add your self-signed certificate to your Trusted Root Certificate Authorities. Launch the MMC console and create a Certificate snap-in. Copy the self-signed certificate created and then paste it to the folder under the Trusted Root Certification Authorities.

Launch the MMC and start the Certification Authority Snap-in. Go to the All Tasks > Renew CA certificate by right-clicking on the name of the CA. 

You will be prompted to a Yes or NO dialog box for stopping Active Directory Certificate Services. Click Yes. 

On the next prompt for Renewing CA certificate, you either choose to generate a new public and private key pair or keep using the old pair. Complete the process, and you will find that the certificate is renewed. 

Based on the type of validation you seek, SSL certificates can be classified into three types. While the encryption levels are the same for all the types, the various verification and vetting processes involved in getting the certificate issued from the CV vary. A high validation level indicates that the website is highly credible and trustworthy.  

Only the domain name validity is verified in this type of certificate, and no additional information is displayed on the Secure Site seal. Hence, the DV certificate is considered the least secure of all the SSL certificate types as you cannot be sure who is on the other side of the request. These certificates are issued very quickly as there is not much validation process involved. It is also the cheapest option available which will suit site owners who need a quick SSL certificate without added effort. 

This level of SSL certificate is issued after the CA has confirmed the organization’s existence and identity. These certificates will have additional information, such as the organization name in the certificate file under the ON field. It involves a more detailed vetting process compared to the DV certificate.

An EV level certificate requires a thorough vetting process as defined by the EV guidelines. The CA forum initially ratified these guidelines in the year 2007. Some of the requirements for getting an EV certificate are:

• The organization’s existence must be verified in terms of legal, physical, and operational aspects. 
• The identity of the organization must match that which is present in official and government records. 
• The organization must have exclusive right to use the website/domain that is to use the SSL certificate. 
• The organization must have raised a Certificate request by themselves, and no third party should have raised it on their behalf or instead of them. 

EV certificates are the most accountable and trustable certificates acknowledged by browsers and user clients. It can be provided to any type of business. Additional guidelines list down the various categories under which the organization must be audited to qualify for an EV certificate. 

Before choosing a particular SSL certificate, you need to consider your actual requirements, company situation, and urgency to acquire an SSL certificate. Here are some pointers to think about when choosing your SSL certificate type. 

• Domain availability and registration status

You must have a registered domain available and ready to apply for an SSL certificate. Because even the least level of validation involves checking whether you own a domain name or not. If you thought about using your internal server name for getting the certificate issue, remember it is no more possible. The rules implemented from 2015 onwards restrict CAs from issuing certificates to internal server names or reserved IPs as these names cannot be verified to identify a company that runs them uniquely. 

• Determine the trust level you need for your certificate. 

Are you running a simple website blog? Then maybe you can do well with a DV certificate your web. If you are running a business site but do not carry out any personal data transfer or financial transactions, an OV certificate may suit you. But if you are running an eCommerce site, the recommended validation level is provided with the EV certificate. 

• Number of domains you need the certificate for. 

If you are going with just one domain, you can use the standard certificate with a trust level of your choice, be it EV, OV, or DV. 

If you want to secure multiple domains, say, for instance, yoursite.com, yoursite.in, yoursite.net and so on, you will have to buy a multi-domain certificate. Multi-domain certificates are costlier and are alternatingly called SAN certificates as they are used for Subject Alternative domain Names. 

To secure multiple subdomains, say like blog.yoursite.com, cart.yoursite.com, you need to use a Wildcard domain, which allows you to cover a whole range of subdomains with the *.yoursite.com format. But going for a wildcard can be an expensive option if you have just a handful of subdomains. In that case, you can opt for multi-domain certificates to cover all your subdomains.

As already mentioned, all SSL certificates come with an expiry date, after which they will be deemed invalid, and browsers will start throwing up security warnings. You can choose to renew your SSL certificates or remove them and operate your site as a regular HTTP site without the added security layer. 

Here are the steps to remove an expired digital certificate in Windows systems:

• Launch the MMC application by going to Start > Run > MMC and then select the snap-in > Certificates 
• Select local computer and expand the Certificates folder under the Personal Directory 
• You will get a list of certificates listed on the right pane. Right-click on the certificate you want to remove and select delete. 

In Linux systems, you can try following these steps or use any tool such as the cPanel to manage your server certificates. 

• Open terminal and run the below common 

sudo dpkg-reconfigure ca-certificates

• You will be shown the list of all certificates. From which you can deselect the CAs. 
• Alternatively, you can edit the CA file lists stored in the file /etc/ca-certificates.cong and run the below command to update the changes 

sudo update-ca-certificates

Running dpkg-reconfigure will also automatically reset the certificates. 

SSL certificate works as a credential that shows a credible and acknowledged site by the corresponding Certificate Authority. It implements encrypted message transfers making sure your data is always protected and is handled by verified sources only. Here is a detailed explanation of how SSL certificates work. 

In general, when you send a data request over the internet to a website, the server receives the request and then works on it and sends back a corresponding result with relevant data. The process is relatively straightforward but is vulnerable to intervention attacks. If a hacker were to intercept the data during the request/response data, they can easily get access to your private and confidential data and make use of it in malicious ways. 

For instance, if you send your bank account and password details over the internet to log in to your banking site and a hacker gets hold of that data, they can easily steal money from your account. 

A layer of encryption helps avoid this security vulnerability. When using SSL, all your data will be encrypted. This means only valid uses with the right credentials will be able to decode and understand the data. If a hacker were to intercept the data, all they get would be some encoded data that will not make any sense. 

The encryption method used in the SSL protocol is an advanced private-public key pair encryption model. In this model, the server will hold the private key, and a public key will be shared with the browser clients. The clients trying to access the website with SSL protection will receive the public key and encrypt the data and send it to the server. The server will use the private key to decode the data and send encrypted results back to the client. This process of server-client interactions in SSL consists of a 

• TLS handshake – Sessions keys are generated by both the client and server 
• Encryption with session keys – Data is encrypted with a public key which can only be decrypted with the private key and vice versa. 
• Server authentication – Done to ensure no data is altered during the transfer.

TSL stands for Transport Layer Security and has the same function as SSL. It acts as a cryptographic tool and protocol to enable secure data transfers over the internet. The major difference is that SSL is an older method while TSL is an improved and newer implementation of the concept. 

TSL was launched as the successor to the SSL 3.0 version and was first released in 1999. Previously, SSL was launched in 1994 by Netscape. Both of them provide the same functionality, albeit with a few technical changes that can be pretty difficult for a non-technical person to identify. Some common differences you might find between SSL and TLS are:

Cipher suites 

• TLS provides support for newer suits like RC4, Triple DES, AES, IDEA, and more. 

Alert messages 

• TLS has a more specific and varied range of alert messages in place of the generic “No certificate” alert message shown by SSL. 

Record protocol 

• SSL uses the MAC format for encrypting data, while TLS uses the advanced HMAC, which is a hash-based method. 

Handshake process 

• The technicality of the handshake process differs between SSL and TSL. While TLS calculates hashes over the handshake message, SSL hash calculation uses the master secret and pad. 

Message authentication 

• SSL message authentication uses key data, whereas TLS uses HMAC hash-based authentication.

The differences are quite minor, and TLS is essentially considered an improved SSL. The terms are often used interchangeably.

Every year the SSL protocol is improved upon and strengthened to weed out any existing security vulnerabilities. Hence why continuing to use older versions might cause security implications. You need to disable the older versions and continue to use only the latest SSL version for the desired security advantages. Here are the steps to disabling the older SSL versions. 

Change the configuration settings of your Apache server. The config file may be present in different locations, as listed below. Locate:

• Ubuntu/Debian: /etc/apache2/apache2.conf
• In virtual host debian/Ubuntu systems :/etc/apache2/sites-enabled/
• In virtual host Red Hat/CentOS: /etc/httpd/sites-enabled/
• CentOS/Redhat systems : /etc/httpd/conf/httpd.conf

Once you have located the file, search for the entry “SSLProtocol” and change it to 

SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

• Restart the apache server 
• service httpd restart or
• service apache2 restart 

Similarly, for Nginx or TOMCAT servers, modify the config file. Change the  ssl_protocols entry to the latest TLS version and restart the server. 

To disable the older SSL versions in Windows, you can either use a tool like the IIS crypto tool to modify the SSL versions through a GUI app. To do the same manually, follow the below steps 

Open Registry editor by Start > Run > regedit 

Find the following registry key/folder:

• If you have SSL 2.0 listed, right click on it and select New-> Key and create a new folder called Server. 
• Under the Server folder,  click Edit > New > DWORD (32-bit value)
• Enter Enabled and press enter.  The data column should have the value 0, if not right-click and set it to zero. 

Similarly, repeat the steps to disable SSL3.0 and restart your computer to reflect the changes.

Sometimes your browser settings may be set not to allow SSL sites. In these cases, you will have to update your settings to enable TLS site access. Here are the steps to follow. 

• Open Google Chrome > Settings. 
• Go to Advanced Settings > Network > and click on Change Proxy Settings 
• Select Advanced tab and scroll through the Security category. Locate the Use TLS checkbox options and enable the TLS versions you want to. 
• Click OK and restart your Chrome browser. 

• Click on Tools > Internet Options > Advanced Tab 
• Open Internet Explorer browser. 
• Open Internet Explorer browser. 
• Scroll to the Security category, find the US TLS check box options, and enable them to enable the respective TLS version.
• Click OK and restart your browser.

• Open Firefox browser. Go to the address bar and enter the address as:  about:config. 
• You will be shown the config page. Try to search for TLS using the search field. 
• When you find the entry security.tls.version.min, select it, and set the value to 1 to enable it.
• Click OK, close the browser and restart. 

Automating SSL certificate management is a great way to easily keep track of and update all your digital SSL certificates. Here are some notable benefits you get with a good SSL certificate automation tool 

• It reduces manual error and labor overhead. 
• Reduces the cost of TLS certificate mistakes which can cost businesses heavily. Most modernism browsers will restrict access to a site with invalid or expired certificates, thus leading to a  huge drop in incoming traffic to your site. 
• Ensure the site is up to date with the latest security protocol. 

As you can see, checking SSL certificate, ensuring it is verified, and removing it when it is beyond the expiration date is essential. However, the involved process is a lot cumbersome and needs technical know-how. Not anymore. Keyfactor’s certificate management and automation solutions are here to help you out.

Contact us to learn more and explore the useful features of Keyfactor.