What is a SSL Certificate Authority?

best ssl certificate

If you have a business website, you should have an SSL certificate. An SSL certificate serve two important purposes that protect customers visiting your ecommerce website:

1.      Verifying your identity: First of all, the SSL certificate states who you are. This way, your customers feel confident that they are dealing with your company, and not with an imposter trying to steal personal information – especially payment information.

2.      Securing transactions: SSL stands for “Secure Sockets Layer”. Accessing a special Internet port (443), a secure sockets layer provides special encryption that protects sensitive information. A secure communication channel, along with encoded information, is used to make sure that people trying to intercept payment information have a very hard time extracting useful data.

Your customers won’t trust you if you do not have an SSL certificate. In fact, if you do not have an SSL certificate, your customers will be warned, via a browser message, that your ecommerce website is not secure, and that their information could be compromised. SSL certificates are obtained from third parties that have been entrusted with the job of issuing SSL certificates that ensure privacy and security. However, not just anyone can issue an acceptable SSL certificate. The certificate must come from an  SSL certificate authority.

What is a certificate authority?

A certificate authority is often (but not always) a third party. This is a party that is trusted by both parties involved in a transaction. The trusted third party helps interactions go smoothly. Cryptography is most often used to facilitate these transactions. A certificate authority may sell its services to the public. Examples of these types of SSL certificate authorities are VeriSign, Thawte, GeoTrust, GoDaddy and Comodo among others. You pay to have your ecommerce website protected, and the certificate authority issues you an SSL certificate that encrypts transactions between your Web site’s server and the browser your customer is using to make purchases.

A certificate authority does not always have to be someone who sells their services. There are some authorities that issue their certificates for free, allowing anyone to get free secure sockets layer encryption and a free SSL certificate. However, it is a matter of trust. Some certificate authorities are better known by the public and are therefore better trusted. If a browser doesn’t recognize the authority it may pop up asking the customer to agree to take on the risk of moving forward with a transaction on a site that may not be secure.

Governments and other institutions may issue their own SSL certificates. It is also possible for you to issue your own SSL certificate, but many browsers will post a warning in such cases; few savvy online shoppers are willing to take the word of company that issues its own certificate. The point of a certificate authority is to verify that you are who you say you are, and that you are providing a secure place to do online business.

What does a certificate authority do?

A certificate authority will take some steps to verify your identity. While not full-proof, the process does add a little more legitimacy to your claims of who you are. But the most important thing a certificate authority does is protect secure transactions. The certificate authority encrypts information. This means that it takes payment information – like credit card processing – and changes it into a random string of characters. To someone intercepting the communication, it makes no sense. The certificate authority also issues a key. This key is used to decode the transaction. Only a party with the proper key can make sense of the information. For everyone else, it’s useless.

The encryption used these days is 128 bit encryption. This means that the encryption uses 128 pieces of information. The possible combinations of this information – and the possible combinations to find the key – are so huge that most computers cannot crack the code. And using an attack that tries every possible combination (more than a billion trillion possibilities) is impractical.  Someone trying to steal the information has to be very lucky indeed to stumble upon the key that will give them the power to decode the message.

In the end, it comes down to trust. Customers are not likely to trust you to keep their sensitive payment information secure if you do not have an SSL certificate issued by a trusted authority. Your ecommerce web host may charge you money every year to provide this protection, but it is usually worth it.