Tactical Advice

How to Secure Your Website with Digital Certificates

Provide users with the confidence and security they need when visiting your website.
How to Secure Your Website with Digital Certificates
Credit: iStockphoto/ThinkStockPhoto

Internet users are trained to recognize the signs and symbols of secure websites — from the HTTPS in the URL to a lock icon in their browser. Is your website correctly configured with a digital certificate to provide your users with confidence that the information they share is being transmitted securely?

HTTPS: An Introduction

All web communications take place using a standard protocol — the HyperText Transfer Protocol (HTTP) — that defines the format of communications between web servers and web browsers. The basic HTTP protocol is a cleartext protocol that transmits data across a network in an open format. This unfortunately makes it vulnerable to eavesdropping and is not suitable for the transfer of sensitive information, such as passwords, credit card numbers or trade secrets.

Organizations seeking to exchange this type of information over the web must turn instead to HTTP Secure (HTTPS), which adds security to the standard HTTP protocol through the use of encryption.

As with other forms of encryption, HTTPS depends upon the use of an encryption key to secure information flow. In this case, each web server has its own public encryption key, which is made available to any user seeking to establish a secure web connection.

In order to ensure the security of communications, the user’s browser must have some way to verify that the public key presented by the server actually belongs to the organization claiming ownership.

That’s where digital certificates come into play. When Bank XYZ sets up its website, it must contact a trusted third party, known as a certificate authority (CA), and request a digital certificate for its server. The CA is then responsible for verifying the bank’s identity and issuing a certificate that contains the bank’s public key, which is digitally signed by the CA.

When the user visits Bank XYZ’s website, the browser automatically retrieves the digital certificate, verifies the signature to ensure that it was issued by a recognized CA, and then uses the public key to create a secure connection between the browser and the server.

Obtaining a Digital Certificate

The process of securing a digital certificate is fairly straightforward. Simply create an account with a certificate authority, submit to a basic identity verification process and provide server details and a credit card number. The CA then verifies the information and issues a digital certificate containing the organization’s public key and the CA’s digital signature.

In some cases, it might be possible to skip the CA altogether and create a digital certificate oneself at no cost. These certificates, known as self-signed certificates, work in the same manner as CA-issued certificates but they function only in an environment that is configured to trust self-signed certificates. Typically, these self-signed certificates are useful for internal web applications accessed by employees, while public-facing applications usually require CA-issued certificates.

While shopping for a digital certificate, be sure to choose a reputable CA that is trusted by the major web browsers. But beyond that, budget should drive the decision. A digital certificate that costs $499 from one CA is just as good as one that costs $99 from another CA.

One upgrade option worth considering is the extended validation (EV) certificate. These certificates require extensive identity verification by the certificate authority, and while they aren’t necessary for a secure website, they are a worthwhile enhancement for sites that handle extremely sensitive information. Financial institutions, in particular, frequently choose EV certificates.

Managing Digital Certificates

Once the digital certificate has been installed on a website, it’s important to manage it on an ongoing basis. While digital certificates don’t require extensive ongoing work, it’s important to monitor the inventory of certificates to ensure that they are protected.

Maintaining a detailed inventory of certificates — including the identity of the CA that issued each, the server(s) using each certificate and their expiration dates — is a must. Many CAs offer certificate management dashboards for organizations that consolidate their certificates under one CA.

Failure to manage certificates can result in visitors seeing an ominous warning that the site may not be secure. This message won’t disappear until the certificate is replaced with a renewed copy.

The other major task facing certificate administrators is ensuring that the private keys associated with certificates are safeguarded from disclosure. Certificate admins should verify that the server locations containing the keys have properly configured access controls and that all staff with access to the keys have undergone background checks.

Proper creation, installation and maintenance of digital certificates will ensure that customers are confident in an organization’s ability to protect their sensitive information from unauthorized disclosure. Don’t hesitate to invest the time and resources necessary to build a reliable certificate management program.

Sign up for our e-newsletter

About the Author

Mike Chapple

Mike Chapple is an IT professional and assistant professor of computer applications at the University of Notre Dame. He is a frequent contributor to BizTech magazine, SearchSecurity and About.com as well as the author of over a dozen books including the CISSP Study Guide, Information Security Illuminated and SQL Server 2008 for Dummies.

Security

Heartbleed: What Should Your... |
One of the biggest security vulnerabilities has almost every user and every industry...
Why Businesses Need a Next-G... |
Devices investigate patterns that could indicate malicious activity.
Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Businesses Must Step Careful... |
Slow and steady wins the race as businesses migrate IT operations to service providers,...
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Mobility: A Foundational Pie... |
Other technologies rely on mobile computing, which has the power to change lives, Lextech...
Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.

Hardware & Software

Review: HP TippingPoint S105... |
Next-generation firewall can easily replace a stand-alone intrusion prevention system....
New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.