If you need to know how to check the SSL certificate on any website, modern browsers make it easy to help Internet users to do so and avoid the mistake of sending sensitive data across an unsecure connection. For most browsers, look to see if a site URL begins with “https,” which indicates it has an SSL certificate. Then click on the padlock icon in the address bar to view the certificate information.
Digital certificates are electronic credentials that are used to certify the identities of individuals, computers, and other entities on a network. Private and public networks are being used with increasing frequency to communicate sensitive data and complete critical transactions. This has created a need for greater confidence in the identity of the person, computer, or service on the other end of the communication. Digital certificates and public key encryption identify machines and provide an enhanced level of authentication and privacy to digital communications.
If the URL begins with “https” instead of “http,” then the site is secured using an SSL certificate. A padlock icon displayed in a web browser also indicates that a site has a secure connection with an SSL certificate.
SSL protocol ensures that data on that site is secured through SSL/TLS encryption and verification. It’s important to make sure that any website where sensitive data may be transferred uses SSL. Sites that don’t are vulnerable to attack by hackers or identity thieves, or may be fraudulent themselves.
Chrome has made it simple for any site visitor to get certificate information with just a few clicks:
The displayed information includes the intended purposes of the certificate, who it was issued to, who it was issued by, and the valid dates. In the case of Extended Validation (EV) Certificates, you can see some identifying information about the organization operating the site. For non-EV Certificates, like Domain Validated and Organization Validated, you will only see which Certificate Authority (CA) issued the certificate, the “Verified by:” section at the bottom of the pop-up. Click the "More Information" link to view more details.
EV Certificate in Firefox
Non EV certificate in Firefox
This brings you to the security details of the page, where you’ll find more information about the website identity (for EV Certificates, the company name will be listed as the owner) and the protocols, ciphers and keys underlying the encryption.
If you want even more details about the certificate, just click “View Certificate”. On the “Details” tab, you’ll find the certificate hierarchy and can dig through the certificate fields.
Finding your SSL may be as simple as checking your dashboard or account with the Certificate Authority (CA) who issued the certificate. But if that is not an option, or your company has multiple certificates, there are two methods to locate the installed SSL certificates on a website you own.
There are two methods to locate the installed SSL certificates on a website owned by the reader of this post. Before we go into specifics, we must remember that in Windows Server environment, the installed certificates are stored in Certificate Stores, which are containers that hold one or more certificates. These containers are
One great way to make sure you found all of your certificates is to use Venafi as a Service. This software-as-a-service solution will scan your network and find any certificates that are installed there and give you tons of information on each one.
If you decide to go the manual route, to examine the stores on your local device to find an appropriate certificate you should follow the procedure below.
Another method to view the installed certificates is to launch the Windows Certificate Manager Tool.
To view certificates for the local device, open the command console and then type certlm.msc. The Certificate Manager tool for the local device appears. To view your certificates, under Certificates - Local Computer in the left pane, expand the directory for the type of certificate you want to view.
To view certificates for the current user, open the command console, and then type certmgr.msc. The Certificate Manager tool for the current user appears. To view your certificates, under Certificates - Current User in the left pane, expand the directory for the type of certificate you want to view.
Apart from checking your own certificates, it is equally important to be able to determine if a site you are visiting uses SSL certificates. We will use as an example Venafi’s site and Firefox browser.
The first sign you should look for is the “https” in the URL of the site you are visiting. The “s” declares that this site is using an SSL Certificate. Then if you are using Firefox, clicking the padlock in the address bar brings up a preliminary dropdown that indicates a secure connection when properly configured SSL is in place. Click the arrow to the right of the dropdown to view more information about the certificate.
All digital certificates have a finite lifespan and are no longer recognized as valid upon expiration. Certificates may have varying periods of validity and are often set to expire anywhere between one and three years based on company policy and/or cost considerations. Minimally, certificates need to be replaced at the end of their life to avoid service disruption and decreased security. However, there may be a number of scenarios where a certificate needs to be replaced earlier (e.g., Heartbleed bug, SHA-1 end-of-life migration, company mergers, change in company policy).
There are various tools available to check if your SSL certificate is valid. But with the right know-how, you can do it yourself as well. Once you have located the SSL certificates housed on your web server, there are two ways to check their validity.
The first option is to run the certlm.msc command, open the Certificates - Local Computer window and then go through the list of the certificates listed in the store to make sure only the legitimated ones are installed. It is a time-consuming job but doable.
The second option is to use the Windows Sysinternals utility called sigcheck that makes the Root Certificates checkup a very easy process. Download or update the tool from Microsoft and run it with the following switches: sigcheck -tv. The utility downloads the trusted Microsoft root certificate list and outputs only valid certificates not rooted to a certificate on that list.
Checking SSL validation and managing certificates can be a very difficult and error-prone process. There are many critical tasks that come with enterprise SSL certificate management, and ignoring or mishandling any one of them can set the stage for a Web application exploit.
Follow these steps to install an SSL certificate on Linux (Apache) servers :
Then make sure to test the SSL certificate as well. Using different browsers, visit your site with the secure https URL to verify the SSL certificate is working correctly.
Follow these steps to install an SSL certificate on Windows Server 2016:
Now that you've successfully installed your SSL certificate, you need to assign the certificate to the appropriate site.
Your SSL certificate is now installed, and the website configured to accept secure connections. Make sure to test this SSL certificate as well. Using different browsers, visit your site with the secure https URL to verify the SSL certificate is working correctly.
SSL renewal keeps your encryption and ciphers up to date, keeping your website and customers safer. Keep on top of renewals to avoid the mistake of letting your certificates expire.
There are two different procedures to follow which depend whether you are renewing self-signed certificates or certificates from CAs.
How to create new self-signed certificate
Although self-signed certificates should not be used on an e-commerce site or any site that transfers valuable personal information like credit cards, social security numbers, etc., it can be appropriate in certain situations, such as on an intranet, on an IIS development server or on personal sites with few visitors.
How to renew certificates from CAs
If you want to renew the root certificates from your CAs, you will have to perform the following steps:
It is very important to highlight the importance of having valid certificates. Expired certificates can and will cause website outages and downtime which in turn will create serious reputational damage. It is therefore highly advisable to renew in a timely manner the certificates close to expiring. Do not wait until the very last moment to do so.
Once you have found all your certificates on your system, you might have discovered that some have already expired (hopefully not!). To remove expired certificates, either self-signed or provided by a CA, there are two methods.
First method: Right-click on the expired certificate and select Delete. You will have to repeat this step for all expired certificates. Once you are done, you will have to restart the server.
Second method: Right-click on the expired certificate and choose Properties. On the Properties window, select “Disable all purposes for this certificate” and then click Apply. Once you are done with all your expired certificates, you will have to restart the server.
SSL certificates are hardcoded with expiration dates, typically up to two years. This provides greater protection and ensures your encryption is up to date. You can renew your SSL certificate up to 90 days before the expiration date, which gives you time to get your new certificate issued and installed and avoid a lapse in encryption.
It’s important to monitor your certificates and stay on top of expirations that may sneak up on you, which can cause outages that will hurt your site. Unfortunately, many companies manage a variety of digital certificates manually with spreadsheets. This can lead to mistakes, such as lost, mismatched or mislabeled certificates. Certificates can inadvertently expire, meaning CAs no longer consider a website or web application secure and trusted. This can be a very expensive mistake if an affected Web application is public-facing. It may lead to reputational damage for the organization, or visitors' browsers may block access to the site entirely. It's been the cause of many high-profile system outages and is often one of the last causes administrators investigate, contributing to significantly more downtime.
Another problem occurs if the CA that issued the organization's certificate is compromised. The certificates are then revoked by other CAs, so when a client connects to the affected server, the certificate is no longer valid. Without proper SSL certificate management on an enterprise-wide level, it's impossible to tell how many (if any) of your certificates are no longer valid.
To avoid these certificate management errors and to correct any mistakes that previously occurred while managing certificates, the most effective solution is to use automation. Automated tools can search a network and record all discovered certificates. Such tools can usually assign certificates to business owners and can manage automated renewal of certificates. The software can also check that the certificate was deployed correctly to avoid mistakenly using an old certificate.
SSL certificates protect data by using a key pair: a public key and a private key. Together, these keys handle encryption and decryption. The process looks like this:
Your private key is the most important component of your SSL certificate. It gives you authority to authenticate your website and helps enable encryption. Therefore, it’s essential that you take care of your private key. If you lose it or it gets compromised, at the least you will have to re-issue and reinstall your SSL certificate. The worst case scenario: Someone could impersonate your website.
Fundamentally, all SSL certificates encrypt information. But there are three main types of certificates that offer different levels of trust:
1. Domain Validated Certificate (DV)
The cheapest type of certificate is a Domain Validated certificate. These certificates simply check domain registry. They don’t require identifying organization information and should never be used for commercial purposes. This type of certificate is for use where security is not a concern, such as protected internal systems.
2. Organization Validated Certificate (OV)
With these certificates, organizes are strictly authenticated against governmental registry databases. During the validation process, business personnel may be contacted and documents may be requested. OV certificates are the standard required on a commercial or public-facing sites. They obtain legitimate business information, and conform to the X.509 RFC standards.
3. Extended Validation Certificate (EV)
Extended Validation Certificates are used by most of the world’s leading organizations. The Guidelines for Extended Validation lay out the stringent criteria and strict vetting process required to obtain an EV certificate. It is the most trusted SSL certificate because it extremely difficult to impersonate or phish an EV-enabled site.
CAs can offer different products within those three primary types of certificates, like a Wildcard certificate. A Wildcard SSL certificate is a popular choice for organizations that manage multiple sites hosted across numerous subdomains. Wildcard certificates secure a domain and multiple first-level subdomains.
A common mistake is choosing the wrong SSL certificate for your site. Don’t go off price alone. Determine the security you need, look at how secure the CA is, then analyze the specs and features of each product to determine the best one for you.
Another mistake organizations may make is being ill-prepared for the validation process. For a Domain Validated certificate, that may be as simple as having the correct WHOIS registry information. For better certificates, you will need to furnish more information to satisfy the requirements. Make sure that info is all ready to go before starting the process to purchase an SSL certificate.
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are both cryptographic protocols that provide authentication and data encryption between servers, machines, and applications operating over a network (e.g. a client connecting to a web server). SSL is the predecessor to TLS, but many applications configure their implementation together as “SSL/TLS.” The term SSL is still commonly used, but at this time it usually refers to TLS protocol and certificates. (For more information, visit Understanding the Difference between SSL and TLS.)
Over the years, new versions of the protocols have been released to address vulnerabilities and support stronger, more secure cipher suites and algorithms. Both SSL 2.0 and 3.0 have been deprecated by the IETF (in 2011 and 2015, respectively). Over the years vulnerabilities have been and continue to be discovered in the deprecated SSL protocols, like POODLE.
TLS uses stronger encryption algorithms and has the ability to work on different ports. Additionally, TLS version 1.0 does not interoperate with SSL version 3.0. Most modern browsers will show a degraded user experience when they encounter a web server using the old protocols. For these reasons, you should disable SSL 2.0 and 3.0 in your server configuration, leaving only TLS protocols enabled.
Last but not least, it is important to note that certificates are not dependent on protocols. Hence, you don’t have to replace SSL certificates with TLS certificates and you can use the instructions above to locate either SSL or TLS certificates. Don’t forget that most vendors refer to them as SSL/TLS Certificates.
In addition to disabling SSL 2.0 and SSL 3.0, it is also advisable to disable also TLS 1.0 , since all web browsers will not support TLS 1.0 and TLS 1.1 after the activation of TLS 3.0 protocol. The procedure for disabling these protocols is described below.
In order to disable these protocols, the procedure is identical. We will demonstrate how to disable SSL 3.0 and at the end we will provide the key combinations for disabling all three protocols.
Note: If the key SSL 3.0 is already existing, skip steps 3 and 4.
Below are the key combinations for disabling the SSL 2.0, SSL 3.0 and TLS 1.0 protocols on Windows 10 or Windows 2012 server.
For SSL 2.0
For SSL 3.0
For TLS 1.0
Note: Client portion contains subkey called "DisabledByDefault" whereas the Server portion contains subkey called "Enabled"
While the importance of TLS in the relaying of sensitive information online is understood and acknowledged, many companies use it to secure all communications between their servers and browser, whether or not the data is sensitive. Steps for enabling TLS on servers depend on your server, but here are detailed instructions on how to enable TLS 1.2 on Windows servers.
The latest versions of the major browsers now support TLS 1.3, and it’s relatively simple to enable it to enjoy increased privacy and performance.
At the time of this writing, Microsoft is still working on supporting TLS 1.3 in any version of Windows. However, TLS 1.0, 1.1, and 1.2 can be used. It is wisest to use the most updated version possible.
To create the necessary key for TLS 1.2, create the DisabledByDefault DWORD values and set it to 0 in the following Registry location:
DWORD name: DisabledByDefault
DWORD value: 0
If needed, here are more detailed instructions on how to enable TLS 1.2 on Windows servers.
TLS is the successor encryption standard to SSL. In general terms, TLS uses stronger encryption algorithms than SSL and has the ability to work on different ports.
TLS uses a combination of symmetric and asymmetric cryptography. Symmetric cryptography encrypts and decrypts data with a private key known to both sender and recipient. Asymmetric cryptography uses key pairs: a public key and a private key. The public key of the recipient is used by the sender to encrypt the data; then it can only be decrypted with the private key of the recipient.
In 1999, TLS replaced the older SSL protocol as the preferred security mechanism. TLS does offer backward compatibility for older devices still using SSL. It is recommended that any websites with the outdated SSL protocol disable it and enable TLS only.
SSL security is a critical component to an enterprise’s overall security strategy. With the increasing number of Internet-connected devices, online portals, and services that organizations manage, there are more opportunities for vulnerabilities and a growing number of threats that these systems face.
Organizations today require the use of SSL certificates to ensure secure data transmission for sites and internal networks. Hence, system administrators are responsible for numerous certificates that come with unique expiration dates. Therefore, keeping track of each and every certificate has become burdensome and unmanageable.
For administrators, it has become essential and mission critical to have a single, centralized platform to handle the installation, deployment, monitoring, and total management of all SSL Certificates within their network regardless of issuing Certificate Authority (CA). Organizations without proper certificate lifecycle management can face security and management gaps.
In order for a certificate life cycle management to be effective all certificates need to be consolidated into a single management system such as the Venafi Trust Platform or Venafi as a Service. With these solutions in place, administrators may perform continuous monitoring of systems and certificates, and generate an audit for governance and compliance purposes. What is more, this approach reduces the overall cost and complexity of managing SSL certificates across a distributed environment.
If you feel dizzy after following above procedures and you want to reap the security benefits of certificate lifecycle management automation, contact Venafi for a tailor made solution.