How does an SSL Certificate works between Client and Server?

How does an SSL certificate works between client and server
How does an SSL certificate works between client and server

SSL certificate is an important component of many websites, that helps in keeping the connection between client and server, safe and encrypted, thus making a website more trustworthy for the visitor. Most websites that deal with any type of financial transactions are more likely to use SSL certificates to ensure the full financial security of the visitors. But have you ever wondered, “How does an SSL certificate works between client and server?”

Let’s try to unveil the mystery!


How does an SSL Certificate works between Client and Server?

An SSL certificate that stands for Secure Sockets Layer, refers to a protocol for encrypting and securing the communication that happens between client and server. It works by authenticating clients and servers with digital certificates and by encrypting/decrypting communications with unique keys for respective clients and servers.

Although, if you want to get an exact picture of how it works, I have simplified it by explaining step by step.

How does an SSL certificate works step by step?

  • The client initiates by sending a request to the server for building a secure session.
  • The server responds by sending its SSL certificate to the client.
  • Next, the client receives the given SSL certificate.
  • The client then authenticates the server by using a list of known certificate authorities.
  • Now, the client generates a random symmetric key and encrypts it using the server’s public key.
  • Finally, the client and server are now familiar with a symmetric key and can now use the SSL encryption process to encrypt and decrypt information.

How does SSL certificate validation work?

An SSL certificate validation works on asymmetric encryption, also called public-key cryptography/ encryption.

Asymmetric encryption works on two keys; the public and the private key. The public key encrypts data, whereas the private key decrypts the data. Thus, with this type of secured form of communication, the websites can give assurance to their customers about their transactions and build trust.

There are mainly three types of SSL validations:

Domain Validation

This is the most basic type of SSL validation. The CA verifies and ensures that the client who has applied for the certificate is the owner of that particular domain.

And therefore, the client that is applying for this type of validation, needs to prove the ownership of the domain via email authentication. 

Then, the CA (Certificate Authority) will check the WHOIS registrar’s email address to make a confirmation about the client’s registration regarding the SSL certificate. Once approved, the CA sends over the DV SSL certificate to the client/owner. 

The main advantage of this type of validation certificate is that it can be easily and quickly installed on the website, and start showing the padlock sign beside the website URL. Thus, helping them boost their SEO ranking.

Also, it is much more time and cost-efficient, therefore making it the best fit for small-scale businesses or a person running a single website.

Although, everything comes with a drawback, and it is true for this type of certificate too, as it is only valid on the domain level, and not on an organizational level.

Some common examples of DV certificates are; Comodo Positive SSL, RapidSSL certificate, Thawte SSL123.

Organization Validation

This type of SSL certificate is best for medium-scale businesses, as the CA audits the organization, prior to issuing this certificate.

When clicked on the padlock, it indicates their company name, domain name, and company location. 

Still, companies need to fulfill requirements to get an OV certificate, as it allows the CA to differentiate the fake ones from the real ones. These requirements are:

  • Authentication of the Organization.
  • Local presence.
  • Telephone Verification.
  • Domain Verification.
  • Verification Call.

Though, this process takes approximately 1 to 3 business days, as the business verification can sometimes take a long time.

Examples of OV: Comodo Instant SSL Pro, GeoTrust true Business ID SSL, GlobalSign Organizational SSL certificate, etcetera.

Extended Validation

Large enterprises commonly use this type of SSL validation because it displays trust at a higher level. As the issuing process is more rigorous, it instantly connects the user with the trait factor.

EV costs the same as OV, but it distinguishes phishing sites, prevents phishing attacks, and displays trust and confidence in the website that inspires the users to visit.

Similar to OV, it also displays the company title and its details, and because of its immense trust, it can help the conversions and ROI. And again, due to its rigorous verification process, it can take 1 to 3 business days.

Although, apart from the EV SSL agreement forms, there are a few documents listed that are also required:

  • Lawyer’s Letter.
  • Business Authentication (like; address and date of registration).
  • Telephonic Verification.
  • Domain Authentication.
  • EV SSL CA Approver’s Authentication.
  • Other documents.

Examples of EV SSL certificates: Comodo EV Multi-domain SSL certificate, GlobalSign EV SSL, GeoTrust TBID EV SSL (Single Domain), etc.

How does SSL certificate handshake work?

An SSL communication always works with an SSL handshake, and an SSL handshake is asymmetric cryptography that allows the browser to verify the web server and then get a public key. After that, a secure connection is established from the beginning.

To get a clear idea of a successful SSL handshake, I have jotted down the entire process in steps:

  • The client sends a “Hello” message.
  • Then, the server responds with “Hello” message.
  • After that, client verifies the SSL certificate of the client provided by the CA and tries to authenticate the server.
  • The client then creates a session key, encrypts it with the server’s public key, and then finally sends it to the server. If the server has requested client authentication, then the client sends his certificate to the server.
  • Finally, the server decrypts the session key with its private key and sends the acknowledgment to the client, encrypted with the session key.

Thus, both the server and the client have a valid session key at the end of the SSL handshake, which will help to encrypt or decrypt the actual data. Although, the public and private keys won’t be used after this.

Note: If the authentication fails while authenticating the server’s SSL certificate, then the client refuses to build up the connection.

How an SSL Certificate is Generated?

In order to generate an SSL certificate, you must first create a Certificate Signing Request (CSR) on your desired server. A private key and a public key thus get generated on your server.

Then, the CSR data file is sent to the CA that contains the public key. After that, CA uses the CSR data file to generate a data structure, that matches your private key without compromising the key. 

Finally, when you receive the SSL certificate, you can install it on your server. You also have to install an intermediate certificate that establishes the credibility of your SSL certificate by binding it to your CA’s root certificate.

How an SSL certificate is verified?

An SSL certificate can be verified in two ways:

  • Personal Method:

By this method, you can check SSL certificate verification, and for that, you just need to use an online SSL certificate checker. Thus, by using this kind of online tool you can easily see the information about the site like; the holder of the website, should it be trusted, and the expiration of the certificate. 

  • Browser Method:

When you use this method, the browser downloads the SSL certificates held by the site. Then, the browser recognizes the digital signature issued by the SSL certificate and cross-checks the site for any harmful actions. 

Once the SSL certificate is verified, the browser checks the website, that you are trying to connect to, to ensure that it does not redirect you somewhere else, say a hacker’s fake website.

Finally, when the verification is 100% completed, your browser and the server try to connect, to create a link that allows you to send encrypted information, that can only be decrypted on the receiver’s end.

Final Remarks on “How does an SSL certificate works between client and server

When a site is equipped with an SSL certificate, a user feels much more comfortable visiting it. The padlock symbol verifies the site of having an SSL certificate, along with the site information when clicked on it. 

Therefore, it is essential to get an SSL certificate for your organization or business, and get to know about its functionality, so that the data transmitted between the client and the server stays private, resulting in better trustworthiness from your side to the users.