SSL Certificates and Web Security – A Guide

In today’s world, web security and SSL certificates have become mandatory. When ranking websites, Google, the largest search engine on the planet, looks for SSL certificates for better rankings and prioritizing. And they have also started the initiative of “HTTPS everywhere” to make the web a more secure place and highlight the importance of web security.

This article will discuss more on what SSL certification is, what types there are, and compare two major companies that provide SSL certificates – DigiCert and Sectigo.

What are SSL Certificates?

SSL stands for Secure Socket Layer. This layer establishes a secure connection between the web server and the web browser. When a website has an SSL certificate, a small lock symbol appears at the start of the link. And HTTPS appears in the URL instead of HTTP, which means that you are browsing securely.

SSL uses cryptographic techniques to provide safety to users. The web browser attempts to connect with the webserver and sends a message to the server to identify itself. The web server sends its SSL certificates to the web browser for verification. The browser verifies the certificate and sends a connection request to the server, and the server sends back acknowledgment, and the encrypted session gets started. The data that goes back and forth between the browser and the server is therefore encrypted.

An SSL certificate provides security to the website’s data. It’s almost impossible to breach into the data with SSL, and even if there is a breach, the data is in extreme cryptography and can’t be deciphered. Customers’ information like usernames and passwords are safe and secure when the website has an SSL certification. Important transaction information like credit and debit card details and online wallet details are highly secured with SSL certification. 

Google gives top priority to secure websites and helps them rank faster. The first thing a user notices when visiting a website is the security, i.e., SSL and HTTPS, so it is essential to have a secure website to gain credibility with the customers and indirectly generate more revenue.

Types of Certificates

Depending on the capacity and purpose at which we operate our website, there are four types of SSL certificates:

N.B. Wildcards are a handy sub-type of DV or OV certificates.

Let’s look into each certification in more detail.

Extended validation certificate (EV SSL)

EV SSL is the most trusted and most used certificate by businesses around the globe. These certifications are issued under guidelines that are proposed by the CA/Browser forum. They can only be published by the subset of CAs (Certified Authorities) and require legal verification of the certificate’s requestor. This certificate uses the same encryption techniques as the other two types. EV certificates show a green browser bar, which indicates security and credibility.

Organization Validated Certificate (OV SSL)

These certificates show that an organization is valid. The owner of the business must show proof of both the physical and legal existence of the company. The users will see a lock at the start of the address bar, which indicates that the site is secure and safe from hackers.

Domain Validated Certificate (DV SSL)

These are some of the most commonly used certificates. The verification process for DV only verifies the domain of the website (business). This verification is to check whether the requestor is the owner of the domain or not.

Wildcard Certificate (Wildcard SSL)

A useful type of certificate that secures all subdomains at once, along with the main one. It’s therefore not necessary to issue a new certificate if a new subdomain is changed or created. Only available on DV or OV certificate types, for security reasons.

Where to get SSL Certificates

There are many SSL certificate providers across the globe. This article will discuss two of the top companies that provide the certification, and those are Digicert and Sectigo.

SSL Certificate using DigiCert

DigiCert.Inc is an American based digital company that provides users with digital security. They help users across the globe to get the validation required for SSL certificates through Public Key Infrastructure. DigiCert is the world’s largest certificate authority, representing 60% of the EV certificates and 96% of the OV certificates globally.

Among its extensive range, it offers three major certifications, namely DigiCert Basic, DigiCert secure site, and DigiCert secure site pro. According to the security level users need on their website, they choose from the given options. The basic variation is cheaper, and as secure features are added, the cost also increases.

SSL Certificate using Sectigo

Formerly known as Comodo CA limited (Rebranded as Sectigo in November 2018), Sectigo company holds the authority for issuing SSL certificates. The company offers digital security to both organizations and independent consumers. With more than 20 years of experience under their belt and hundreds of thousands of customers worldwide, Sectigo is one of the leading companies that provide web security with SSL certifications.

Sectigo broadly offers six types of certificates for the customers who want their website secured from malware. They include DV SSL, OV SSL, EV SSL, WILDCARD SSL, MULTIDOMAIN SSL, and SINGLE CERTIFICATES. They are also an award-winning innovation company with excellent customer support.

DigiCert vs Sectigo – feature comparison

Now, let’s take a closer look at each metric and compare them.

 

Key size and encryption strength

The key size determines the number of combinations it takes to break an encryption algorithm. Both DigiCert and Sectigo offer 2048 Bit keys so their encryption is very hard to break. The encryption strength is also the same for both, which is 256-Bit.

Root Domain Support

Sectigo and Digicert now secure and cover domains both with and without www.

Validation level

Both Digicert and Sectigo support all the validation certificate types, including domain validated certifications. However, Digicert brand does not offer DV SSL – the most basic and common type – except under its sub-brands. So, Digicert itself serves more enterprise-level needs whereas many users search for DV SSL with Sectigo.

Multiple Domains and Sub-Domains

If we want to cover multiple or sub-domains with SSL certification, both Sectigo and DigiCert provide multi-domain certificates called SAN certificates. We can add up to 250 Multi-domain SANs with DigiCert and 100 SANs with Sectigo.

Issuing Authority

Comodo Ca is a well-reputed brand with more than 20 years of experience. They rebranded themselves in fall 2018 to Sectigo, but they still have the largest market share of CAs. DigiCert, formerly known as Symantec, has also been around the block for many years and has vast industry experience.

Certificate Costs

With so many free SSL certificates available in the market, it sounds like a feasible idea to settle for one. But with premium certifications, you get both customer support and value for money. On top of that, OV and EV SSLs provide a further layer of customer trust as the certificate itself lists the business or registered organization. They can’t be issued to individuals.

Both DigiCert and Sectigo offer premium customer support and services. 

Final Words

We have now seen what SSL certification is and what benefits it provides to website owners. And also, we have seen different types of SSL certificates based on usage and capacity. 

Looking at the two top SSL providers, with their powerful encryption and multiple validation options, the choice is tough. Both will secure your site robustly. Both have long-held authority and experience. The only thing to consider is whether their specific certificate types match your site. 

Looking for domain protection for your blog? DV SSL with Sectigo will be great. Maintaining a high-traffic site with multiple sub-domains? Both brands can get you a top Wildcard version of the OV SSL certificate. Know your site, think security and trust, and you’ll know what certificate works best for you.

Secure your domain now

At Plesk, safety and credibility are provided by powerful Sectigo plugins for you and your customers. Through the SSL It! extension, DV and DV Wildcard releases are among the many certificates you can easily install to secure your domain.

The next screenshot shows how SSL It!’s page looks like for a domain without a configured certificate but when the Sectigo extension is already installed:

Let’s click “Buy Now”. Purchasing a PositiveSSL certificate via store.plesk.com:

After purchasing, Sectigo (Certification Authority, CA) verifies a domain and issues a certificate. When the certificate is issued, the extension automatically installs and secures the website in Plesk. As you can see, SSL Labs rated the website secured with a Sectigo certificate on A grade.

Just four easy steps, and your site is protected. 

Want to learn more about web security? Our podcast reveals all. 

Moving from HTTP to HTTPS 3: Troubleshooting and DIY solutions

Moving from HTTP to HTTPS 3: Troubleshooting and DIY solutions - Plesk

One thing is quite clear- HTTPS is here for good. When SSL certificates give you HTTPS status, you’re saving user data from hackers, making the internet a safer place. You’re also increasing online transactions on e-commerce sites. That’s why most serious website owners have already migrated from HTTP to HTTPS – or are attempting it.

However, even with a host of benefits for a Google-friendly HTTPS site, there are certain technical issues associated with its integration or maintenance that may puzzle even technical users. Let’s now talk about such issues and the best possible ways to resolve them.

Optimizing Speed and Performance

This article presented some tricky errors along with their easy, DIY solutions. Let us know in the comments if we’ve managed to keep the instructions clear and simple and if you performed all the steps accurately.

Optimizing Speed and Performance - Ruby on Rails vs PHP

It’s not uncommon to experience site performance/speed issues after upgrading to HTTPS. SSL-enabled sites go through a series of additional verification processes when a visitor enters. One of the key processes is the handshake that requires a significant amount of CPU power. Here are a few actionable tips that can minimize the operation series and resolve this issue.

  1. Save time by sending multiple requests through a single connection. For that purpose, you need to enable Keep-Alive connections.
  2. Shave time by reusing the SSL session parameters. It will eliminate the SSL handshakes requirements for subsequent or parallel connections.
  3. SSL session cache stores multiple sessions. This cache is shared between all the workers. Use ssl_session_cache directive to enable it.
  4. There are 4000 sessions per megabyte of cache and its default timeout is 5 minutes However, you can increase this time for the better results by using the directive ssl_session_timeout.
  5. To further enhance your website speed by 50-300%, you may also consider the downloadable Speed Kit extension on Plesk.

Issues regarding SSL certificates

Issues regarding SSL certificates - Plesk

SSL Certificate Chains

Another tricky situation is when browsers refuse to accept a certificate, even from a reputed authorized CA. The most popular browsers generally have an inbuilt certificate base containing variously authorized and reputed CAs. However, the reputed CAs use intermediate certificates to sign the server certificate.

The series of chained certificates are provided by the CAs that ultimately link to the root certificate. These intermediate certificates aren’t in the browsers’ inbuilt certificate store and it causes the error. Here are the actionable tips you can follow.

  1. Ideally, the chained certificates should follow the server certificates in order to enable the operations/process.
  2. If you’re non-technical, it’s good to get help from a professional or CA.
  3. Open certificate details and :certification path will reveal the problem areas.
  4. Communicate with your CA if you find difficulty installing an intermediate certificate.

Invalid SSL Certificate

If you try installing the certificate with incorrect details, you’ll get this error. Here’s what to do.

  1. Let’s Encrypt users can use the renewal command to renew an SSL certificate.
  2. If you purchased from another CA, ask them for an SSL certificate renewal.
  3. Make sure the CA is reputable and recognized by popular browsers.

Outdated SSL certificate

As the name suggests you need to renew your SSL certificate because it is now past its due date or has some validity issues. If your browser doesn’t support SNI, then updating its version can resolve the issue. You may also try revisiting the same page.

The Mixed Content Issue

When you use an HTTPS domain as a path to send HTTP elements, it causes the mixed content error. Basically, you’re trying to mix the different elements (HTTP and HTTPS) on the same platform. Here’s how to solve it.

  1. Just visit the console tab in chrome dev tools where you can find a series of elements. If the elements are hard-coded, you need to modify the URL manually. For external resources just replace the HTTP versions with HTTPS. If the external resources haven’t yet transferred to HTTPS, you can send them a request. Alternatively, you can also look for the HTTPS substitutes to the external resources, like images.
  2. Review the certificate information of the custom SSL certificate that you’re adding to CDN/Origin server and make sure all the information is correct and current. Things to check: intermediate certificates (check entire range  separately ), Private key, empty lines (delete if you encounter any).
  3. Use some reputable tool that can help generate an intermediate certificate.

Outdated Browser, Cache and Cookies

Older browsers may be unable to recognize the SSL-enabled sites because they don’t support these technologies. If browsers cache has saved the older SSL information about your site’s recently-updated certificate, then this message appears due to an info mismatch.

This error may still occur after you solve the problem. resolving the problem if that problem. The simple remedy is to clear your cache so your browser can again retrieve and read the updated certificate details.

Apache Issues

Apache Issues - Plesk

For Apache issues, you need to use codes. Digicert, leading SSL authority, provides a complete guide on how to resolve such issues. Along with solution codes that you might just need to copy/paste. With Digicert, you can also diagnose your SSL issues here, provide your site name and check for the reports.

Further DIY Solutions to HTTPS Issues in Plesk

If you love DIY exercises, then here are different ways to buy, manage or renew your SSL certificate in Plesk. All you have to do is to click the links below and follow the easy instructions.

  1. Change the default certificate
  2. Renew the default certificate
  3. Purchase SSL Certificate from Plesk
  4. Enable redirection from HTTP to HTTPS in Plesk
  5. Download SSL certificate in Plesk

This article presented some tricky errors along with their easy, DIY solutions. Let us know in the comments if we’ve managed to keep the instructions clear and simple and if you performed all the steps accurately.

arrow icon - Plesk

Moving from HTTP to HTTPS 2: SSL Certificates and their suitability

SSL Certificates

SSL certificates help secure data in transit against attacks. Regardless of their types or issuing agency, all SSL certificates encrypt submitted data – decrypting it only upon reaching its recipient. While this basic functionality remains the same for all types of SSL certificates, there are some key differences in suitability and limitations. Let us explore these differences in detail as you continue your move from HTTP to HTTPS.

DV (Domain-validated) Certificate

DV (Domain-validated) Certificate - Plesk

DV or domain validate certificate is the most basic level of certification. It simply helps you demonstrate that you’re the submitted domain owner, while requesting the SSL certificate.

A DV certificate is ideal for internal communications, to maintain test domains and servers, and internal sites. Rarely, it may also be suitable for small businesses with a brochure website.

DV Certificate Limitations

  1. DV doesn’t mention the company name that owns and operates the domain. Hence, it doesn’t verify the domain is owned by a trusted, official, legal entity. This can discourage shoppers or potential partners from sharing their personal info while performing online transactions on your site.
  2. Sharing data over a secured network with an unidentified/unverified recipient isn’t wise. A hacker can purchase a fraudulent similar sounding domain name and its SSL certificate (like Mikrosoft.com or Jumla.com). This just to trick visitors into sharing sensitive data which they will later misuse.

OV Certificate

OV Certificate - Plesk

You get an OV certificate after a detailed verification process. Because it displays more comprehensive domain information, thus verifying that the legal corporate entity that owns it is authentic.

An OV Certificate is suitable if you’re running a commercial website or blog that requires clients to login using an ID/password. Or for educational institutes that require students/teachers to login and check reports/attendance and other non-interactive activities. An OV may also suit local community websites and small business websites that don’t involve sales or sharing of payment details.

OV Certificate Limitations

  1. Real human interaction like the telephonic call is generally involved at multiple levels that enhance the trust level.
  2. Trusted real-world sources are checked to cross-verify the corporate nature of the business requesting it. In most of the cases, it also involves the submission of business documents.

EV (Extended Validation) Certificate

EV (Extended Validation) Certificate - Plesk

EV certificates almost eliminates any phishing possibilities because of its strict configuration, reinforcing failsafe security at multiple levels. However, an EV requires the most stringent verification process. Your organization can have one issued only after it can successfully pass all verification steps. Namely, physical existence, current legal/operational status, exclusive domain ownership and controlling rights of the commercial entity.

EV Certificate Suitability

  1. The EV certificate is perfect for online stores that need customer personal and payment information. Including contact address and phone number.
  2. EV is also suitable for Healthcare websites that establish communication between doctor and patients. Also, government, educational and other interactive websites that conduct online tests, assessments and such.
  3. If you’re working on mission-critical projects via your website, then an EV SSL certificate is the best option for you.
  4. The EV certificate is also the best choice for online wealth building and management sites and Blockchain websites. Those enabling online payments and are looking to build a long lasting digital empire.

Single Domain SSL certificate

The single domain covers only one main domain to which it belongs, without supporting any of its subdomains. So if you buy a single domain certificate for mycompany.com, it will only provide SSL security (and HTTPS status) to yourcompany.com. The Single Domain SSL certificate is ideal for small businesses and start-ups that just want to secure one domain. Like the homepage.

Wildcard SSL Certificate

Wildcard SSL Certificate - Plesk

Along with securing the main domain, the wildcard certificate also secures all related subdomains. In short, the Wildcard perfectly fills the gaps left by the single domain certificate. For instance, if you purchased a Wildcard SSL Certificate for mysite.com, then it will automatically secure blog.mydoman.com, services.mydomain.com, and shop.mydomain.com.

A Wildcard SSL certificate is best for business websites, institutional sites and other websites with multiple web pages of high importance. Such as government organizations, eCommerce sites, online new media, and social community websites.

Multiple Domain Names Certificate

The Multiple Domain names SSL certificate is fully capable of securing multiple domain names that belong to you. The Multiple Domain Names Certificate is suitable if you’re running a group of companies with different URLs or you’re considering starting up multiple blogs or sites in the future.

HTTP to HTTPS: Get the best benefits from your SSL Certificate

You need to know about various options and their suitability for you to make the best SSL choice. Especially with the move from HTTP to HTTPS. This article should help you evaluate this in the context of your business and its objectives. If you’d like to know more about the suitability of different certificates, read our SSL Certificate guide here or the more detailed SSL info from Digicert.

Moving from HTTP to HTTPS 1: Avoiding the SEO Pitfalls

Moving from HTTP to HTTPS 1 - Plesk

If you’ve recently moved your site from HTTP to HTTPS, or are planning to soon, then be sure not to make a costly SEO mistake. While moving your site, you’ll make several changes that may harm your SEO, if not made correctly. But fortunately, you’ve landed on this guide to help you out with a few straightforward steps.

HTTP to HTTPS: Use Appropriate Redirects

If you’ve recently moved your site from HTTP to HTTPS, or are planning to soon, then be sure not to make a costly SEO mistake. While moving your site, you’ll make several changes that may harm your SEO, if not made correctly. But fortunately, you’ve landed on this guide to help you out with a few straightforward steps. Use Appropriate Redirects

When you use a 302 page redirect, Google starts indexing the new HTTPS version, but does not stop indexing the older HTTP version. Because Google considers the two HTTP and HTTPS versions different properties.

This separate indexing prevents the SEO juice and other qualities of your old URL to be passed onto your new HTTPS version. Thus, making all your previous SEO efforts on the old HTTP version redundant, and you may need to start again from scratch. However, when you redirect to 301, Google indexes the 301 targeted URL and discontinues crawling the older version. Resulting in more than 90% of SEO juice transfers to the new HTTPS version.

Avoid chained redirects

Google cannot crawl more than five chained redirects. So, it’s wise to include all your existing redirects to the initial HTTP to HTTPS redirect. Thus, making things easier for Google can certainly help your SEO. WordPress sites can use redirection to manage redirects or this redirect checker to trace redirectchain.

Don’t redirect to a single irrelevant destination

Redirecting different old URLs to a single irrelevant location creates unnecessary confusion and negatively affects the user experience. However, if you consolidated contents from multiple old URLs to a single page, then it’s fine to redirect them there.

Enhance Crawling Efficiency

Enhance Crawling Efficiency - Plesk

Different post-move processes for SEO/search engine updates would need to recrawl your site. If your site is complex and large, it can affect crawling efficiency and delay the process. Here are a few tips to increase efficiency and reduce time:

  1. Admin Pages, backend folders and other irrelevant pages waste significant time for search engine bots. So, prevent them crawling through these sections by editing the robots.txt file.
  2. Bots don’t interpret graphics. So, images should come with proper image alt-tags to make them bot-friendly.
  3. Interlink old content at the relevant portions of the new content. It will help with deep crawling and add to its value.
  4. Consider one of various free or paid tools available that enhance crawl efficiency, thus speeding up the process altogether.

Check crawling behaviour and response codes

Keep a close eye on the crawling behaviour of Google bot on both versions, from HTTP to HTTPS. Along with checking the crawled URLS, you also need to look at the response codes the Google bot receives via analytics. To facilitate this information, you’ll need to upload server log files.

Robots.txt

Robots.txt - Plesk

Robots.txt is a vital source of your technical search engine profile. So after the move you need to check Robots.txt once or twice and make the necessary changes.

  1. Carefully check HTTPS robots.txt to ensure its content matches the previous listed for that HTTP version and that it doesn’t disallow all.
  2. The HTTPS pages should not have any Meta ‘no index’ attributes and the HTTP robot.txt file shouldn’t disallow all. It should either redirect or deliver 404 as applicable.
  3. Blocking HTTP URLs in robots.txt prevents the search engines from seeing the HTTPS URLs redirects. Thus, various vital signals like Pagerank etc. will not be transferred.

Update HTTP resources immediately

Most possibly you could be using some external resources on your website like images and social communications. Make sure you update all such resources in the page source code so that they point to the HTTPS versions. In case a resource doesn’t have a HTTPS version, it may be better to look for substitutes from a secured source.

Also note that the presence of HTTP elements on the site can attract a ‘No Secure’ warning. Thus, defeating the very objective of buying an SSL certificate.

Change your Metadata and structure markup to align with your new HTTPS status and help you maximize ranking benefits. Namely canonical and pagination attribute, hreflang and rel alternate media, and structured mark-up (example: breadcrumbs and videos).

Then, communicate the HTTP to HTTPS changes to Google by verifying the HTTPS property in Google Search Console. Make a property set that is the combination of HTTP and HTTPS properties to facilitate monitoring. Then set ideal configuration for handling parameter for HTTPS version in the search console itself.

Hosting panel resources for non-technical users

There are some really good, reputable hosting panels offering easy documentation and step-by-step guidance. Plesk is among one of the top choices for non-technical users because of its neat interface and multi-OS support. If you’re using Plesk, you’ll first need to install SSL certificates for your domain. Also make sure that you have enabled SSL/TLS support in your domain Hostings Settings.

Linux OS and Plesk users

If you use Linux OS then access your .htaccess file in Plesk and paste the following link:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R,QSA]
</IfModule>

Click OK and you’re done.

Web.config file for Plesk and Windows users

Access you web.config file under file manager and paste the following code just before  </system.webServer>:

<rewrite>
<rules>
<rule name="HTTP to HTTPS redirect" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" redirectType="Permanent" url="https://{HTTP_HOST}/{R:1}" />
</rule>
</rules>
</rewrite>

HTTP to HTTPS is a wise move if you can dodge the negative SEO impacts that may result. Hopefully this article has accomplished that for you. For more info, here’s the detailed guide on different SEO-friendly HTTPS redirection methods in Plesk.