6 SSL Certificate Best Practices to Improve Your Website Security - Comodo SSL Resources (2024)

Loading...

There’s more to SSL than just installing digital certificates

From “do we even need SSL?” to “we don’t have SSL yet?” — the world of website security has witnessed a dramatic change in the attitude of website owners. An SSL certificate is no longer a luxury for them; it’s an absolute necessity. Regardless of whether your goal is to avoid security warnings displaying in browsers for non-HTTPS sites or to enjoy the SEO advantage given to HTTPS sites, it’s important that you follow SSL certificate best practices.

The rise in the adoption of HTTPS has beenmassive. Almost 50% of the top one million websites use HTTPS by default (they redirectinquiries of HTTP pages to URLs with HTTPS). Moreover, it’s not just thebig-name websites that have migrated to HTTPS; websites or blogs run byindividuals, too, have realized the significance an SSL certificate holds ontoday’s internet.

If you’re a website administrator, chances are that you might already have an SSL certificate. Or, you might be planning to get one. In either case, you must understand that having HTTPS in front of your website name isn’t enough. You must implement it properly by tightening every nut and bolt involved in the process. And adhering to SSL certificate best practices is an important part of that.

Here are the SSL certificate best practicesthat you must follow so that you don’t leave a single crack for the attackersand make the best of the investment you’ve made by purchasing an SSL certificate:

1. Purchase an SSL Certificate That’s Appropriate for YourWebsite

Did you know that SSL certificates come in various shapes and sizes in terms of functionality and validation? Primarily, there are three types of SSL certificates — domain validation (DV) SSL certificates, organization validation (OV) SSL certificates, and extended validation (EV) SSL certificates.

Domain validation (DV) certificates are perfect for you if you need encryption and nothingmore. They’re usually the least expensive and can be issued within minutesbecause the validation process is automated.

Organization validation (OV) SSL certificates are mid-level SSL certificates. To obtain an OV SSLcertificate, you must be a registered company or organization, and you mustundergo light business vetting. This can take up to three business days becausecertificate authority (CA) has to verify your business information. OV SSLdisplays the same visual indicators as DV SSL but provides a way for yourcustomers to check your verified business information in the certificatedetails section.

Extended validation (EV) SSL certificates require extensive business vetting by a reputable certificateauthority. This may sound like a lot, but it’s really not if your business haspublicly available records. EV SSL activates a unique visual indicator — yourverified organization name and address shown in the browser when you click onthe padlock icon. These SSL certificates help you assert the most identity togain customer trust and credibility. If you have a website where establishingcredibility is imperative (such as an ecommerce website), these SSLcertificates are meant for you.

2. Purchase an SSL Certificate from a Reputed CertificateAuthority

You might purchase the best-in-class SSLcertificate, but what if the certificate authority that issued your certificatelater gets compromised? What if they make a terrible mistake that puts yourwebsite security at risk?

The thing that you need to know about certificate authorities is that they’re not the same. Some are more reputed than the others, for many reasons. This is where the second point on our list of SSL certificate best practices comes into play.

Here’s a little checklist that you should consider before finalizing a certificate authority:

• Security history and reputation
• Services offered
• Popularity
• Support for certificate revocation list (CRL) and online certificatestatus protocol (OCSP) revocation methods
• Certificate management solutions (for managing certificates in largenumbers)
• Help, support when and how you need it
• Positive reviews by customers

3. Properly Configure Your Server

Installing a top-of-the-line SSLcertificate and not updating your server for its use is a lot like purchasing aFormula One race car and using it to drive to your office. Okay, that’s a totalexaggeration, but you got the point, right? Here’s what you need to configure:

1. Configure to Use LatestSecurity Protocols

As far as the security protocols areconcerned, you must configure your server to use TLS 1.2 and 1.3. Both theseprotocols embody vast improvements over their predecessors — TLS 1.0 and 1.1.Moreover, all major browsers will be deprecating support for them by the firsthalf of 2020.

2. Configure to Use SecureCipher Suites

Cipher suites play a significant role inSSL handshake — the process that enables a secure connection between yourserver and users. If you’re using a cipher suite that’s been deprecated or hasbeen found vulnerable, you’re putting your website security at risk. That’s whyusing secure cipher suites that support 128-bit (or more) encryption isparamount.

3. Configure to Use 2048-BitKey Exchange

Diffie-Hellman key exchange (DHE), the mostwidely adopted key exchange algorithm, was found to be vulnerable in case oflower-strength key exchanges (768-bit and 1024-bit). Not only that, some DHgroups were found to be broken by nation state actors. Of course, you don’twant that. Therefore, we recommend deploying DHE with at least 2048-bitsecurity.

4. Protect Your Private Keys

Yes, this general best practice is asobvious as it can be. Some might even call it a cliché, but it’s the mostessential SSL certificate best practice you can follow as far as protecting yourSSL certificates is concerned. Essentially, the private key is what makes everySSL certificate tick. In layman’s terms, your private key is your certificate.If someone gets hold of your private key, you could be in the middle of ameltdown.

Here are our recommended practices toprotect your private key:

• Generate private key on asecure computer
• Protect your private key with arobust password
• Store your private key in ahardware device
• Revoke your certificateimmediately if your private key gets compromised
• Generate a new private keywhenever you renew your certificate

5. Implement HSTS (HTTP Strict Transport Security)

Almost 50% of the top one million websitesredirect users on their HTTPS URLs even if a user requests for an HTTP webpage.That’s because they’ve implemented HSTS (HTTP Strict Transport Security). Toimplement HSTS, you must add a new response header to your website. Onceimplemented, it won’t allow your website to make any insecure (HTTP) connectionas it converts all plaintext HTTP URLs into HTTPS.

Here’s the header that you’ll need to addto your website:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

6. Ensure Your Certificates Are Valid Through SSLCertificate Management Best Practices

One thing that many people tend to forget is that SSL/TLS certificates come with a set validity period. This oversight is pretty common, and even big giants such as LinkedIn were found sleeping on the job. Expired SSL certificates can result in site downtime or outages, direct and indirect costs, and reputation damage for your organization.

This is where our certificate validity period best practice can come in handy. Make sure that your SSL certificates are renewed before their certificate validity period ends to avoid downtime and security threats that might arise as a result of the gap in your cyber defenses.