What is an SSL certificate?

A slightly technical overview of SSL

Secure Sockets Layer (SSL) certificates are used to encrypt data that is sent between a web browser and a website. Only these two parties have access to the data and any hackers will not see anything intelligible. When a website is secured by SSL, the user of the website will see a notification in the browser address bar such as a padlock or a green colour. Another indication is that the address of the website is preceded with https rather than http.

A traditional analogy is with the postal system. The postman and anyone else who handles your mail can read your postcard. It can be easily stolen from your letter box and the message on it could even be changed. You would not write your credit card number on a postcard and you would not write personal information.

Two keys are used to set up an SSL connection: a private key and a public key. A key is just a long string of data that is analogous to the teeth on your front door key. The public key is freely given out but the private key is kept secure by the web-server. The public key can be used to lock up (encrypt) data but only the private key can unlock (decrypt) it.

When a secured page is requested, the web-server will return the certificate and the public key. The browser will check the certificate for validity before displaying content. When a user enters data in a form, the browser will encrypt the data using the public key and send it to the web-server. The web-server will decrypt it with the private key and process the data.

This explanation is simplified but this should serve to illustrate the idea.

SSL certificates are created by trusted third parties called Certificate Authorities (CA). One of their responsibilities is to confidently assure us that the buyer, the organisation and the website is legitimate. Actually anyone can create an SSL Certificate so it's important to get one that is issued by an official authority. A CA will check out your application before they issue the certificate to ensure that they are not issuing to a hacker.