Overview
In securing your web site with a digital certificate, your main aim is to provide proof of your online identity and in so doing establish a relationship of trust with those with whom you wish to interact online, with authentication being the most important element of a digital certificate.
Authentication provides users with proof that:
1. your company is a bona fide real world company.
2. they are connecting to the correct server.
A certificate's level of authentication may be seen as an indication of its quality – the higher the level of authentication provided, the greater the quality of the certificate. It is therefore important to understand that the various digital certificates available each differ in level of authentication depending on the issuing Certificate Authority (CA) or even the specific product. Some CAs perform only very basic authentication prior to issuing a certificate while others conduct extensive checks to ensure the identity of the applying organisation.
The following are the various authentication checks that are performed by CAs:
• Domain lookup to confirm that applying company owns the domain.
• Check existence of company to confirm that it is a legally registered organisation.
• Verification of identity of individual requesting certificate to confirm that they are an authorized representative.
All CAs perform one or more of these authentication checks, the result is certificates with a range of differing levels of quality. It is important to note that the more authentication checks performed the better the quality of the certificate. So make sure you determine exactly what authentication checks are performed before purchasing.
SSL Certificate Purchase Options
Our customers primarily opt for one of two options when securing Baker Tilly Revas online applications with a SSL certificate, these are as follows:
• A free CAcert (http://www.cacert.org/) certificate, which although secure is not registered with common internet browsers such as Firefox and Internet Explorer and as such users will be presented with connection security warnings. The users can choose to ignore the warnings and not be prompted again.
•The alternative is to purchase a certificate from a provider such as Thawte http://www.thawte.com/ or VeriSign (http://www.verisign.com/) whose certificates are registered with common internet browsers. Certificates which are registered on internet browsers do not prompt the user with the above warning messages.
SSL Certificate setup process
• Any sub domains required (e.g. timesheets.yourdomain.com) should be created by the client and confirmed to Baker Tilly Revas in writing.
• Baker Tilly Revas will generate a server certificate for each sub domain, which will in-turn be forwarded to the client.
• Upon receipt of the server certificate(s) the client should purchase the SSL certificate for each sub domain from a Certificate Authority. During the purchase process the server certificate(s) provided by Baker Tilly Revas need to be uploaded.
• The SSL certificate provider will supply a certificate which would need to be forwarded to Baker Tilly Revas. The certificate is used to generate a key store which is then uploaded to the server.
• Upon completion of these steps the site will be secure and can be accessed via the https protocol.
Certificates and Web Site Security
Reference: http://en.wikipedia.org/wiki/Ssl_certificate 14 April 2009
The most common use of certificates is for HTTPS-based web sites. A web browser validates that an SSL (Transport Layer Security) web server is authentic; so that the user can feel secure that their interaction with the web site has no eavesdroppers and that the web site is who it claims to be. This security is important for electronic commerce. In practice, a web site operator obtains a certificate by applying to a certificate provider with a certificate signing request. The certificate request is an electronic document that contains the web site name, contact email address, and company information. The certificate provider signs the request, thus producing a public certificate. This public certificate is served to any web browser that connects to the web site and proves to the web browser that the provider believed that the provider issued a certificate to the owner of the web site. Before issuing a certificate, the certificate provider will request the contact email address for the web site from a public domain name registrar, and check that published address against the email address supplied in the certificate request. Therefore, an https web site is only secure to the extent that the end user can be sure that the web site is operated by someone in contact with the person that registered the domain name.