Server (SSL) vs. Client Certs

  1. Server certificates are used to authenticate server identity to the client(s).
  2. Client certificates are used to authenticate the client (user) identity to the server.
  3. Server certificates encrypt data-in-transit.
  4. No encryption of data takes place in case of Client certificates. They are merely used as an authentication mechanism.

Simply, digital signatures are a way to validate the authenticity and integrity of any data. To create a digital signature, the signing software creates a one-way hash of the data to be signed. The private key is then used to encrypt the hash. This encrypted hash, plus other information (the entire message and the hashing algorithm used), is the digital signature.

Where and Why do we need Client Certificates?

When you sign into your VPN; use a bank card at an ATM, or a card to gain access to a building; within Oyster public transport smart cards, for example, used in central London.

These digital certificates are even found in petrol pumps, the robots on car assembly lines and even in our passports.

What is IN a cert?

A certificate is created using a digital signature (of the signing authority) and some other elements (of the entity being certified – i.e. the certificate holder)

A Digital certificate contains:

  1. Digital Signature of the certificate issuing authority
  2. The name of certificate holder.
  3. Serial number which is used to uniquely identify a certificate, the individual or the entity identified by the certificate
  4. Expiration / Validity dates
  5. A copy of certificate holder’s public key (used for decrypting messages and digital signatures)

Types of Server Side Certs

  1. Domain Validated SSL Certs and Wildcard SSL Certs
  2. Extended Validation Certificates
  3. Organization Validated Certificates

Domain Validated Certificates (DV SSL)

Domain Validation SSL Certificate has a low assurance and minimal encryption, typically for blogs or informational websites. The validation process to obtain this SSL certificate type is minimal. The process only requires website owners to prove domain ownership by responding to an email or phone call. This SSL certificate type is one of the least expensive and fastest to obtain.

Wildcard SSL Certificates

Wildcard SSL certificates are used to secure a base domain and unlimited subdomains. Purchasing a wildcard SSL certificate is cheaper than purchasing several single-domain SSL certificates. OV Wildcard SSL certificates or DV Wildcard SSL certificates are available for purchase. Wildcard SSL certificates have an asterisk * as part of the common name. The asterisk * represents any valid subdomain that has the same base domain. For example, the common name can be *.example.com. This SSL certificate type could get installed for install.example.com, list.example.com, etcetera.

Extended Validation Certificates (EV SSL)

The highest-ranking and most expensive SSL certificate type is an Extended Validation Certificate. This type of SSL certificate, when installed, displays the padlock, HTTPS, name of the business, and the country on the browser address bar. EV SSL certificates are for high profile websites for applications that require identity assurance such as collecting data, processing logins, or online payments.

Organization Validated Certificates (OV SSL)

The Organization Validation SSL certificate’s primary purpose is to encrypt the user’s sensitive information during transactions. This version of SSL certificate has a high assurance similar to the EV SSL certificate, which is used to validate a business’ creditably. This SSL certificate type also displays the website owner’s information in the address bar to help distinguish from malicious sites. OV SSL certificates are the second-highest in price. Commercial or public-facing websites have a requirement to install an OV SSL certificate to assure that any customer information shared remains confidential. To obtain an OV SSL certificate, the website owner needs to complete a substantial validation process. A Certification Authority (CA) investigates the website owner to see if they have the right to their specific domain name. Once the SSL certificate gets installed, the business information shows in the browser address bar.

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.