TLS/SSL Certificate Cheat Sheet

SSL Certificate Cheat Sheet

What are the different types of SSL Certificates that you can get if you’re running a website?  SSL is one of those small things that everyone with a website needs.  But there are multiple types of certs to get and all the permutations can get confusing.  This is a cheat sheet to help clarify the different cert types and classes.

Types of Certs:

  • Shared domain from a hosting/CDN provider – i.e., or
  • SAN certificate –  SAN stands for shared alternative name. Where a cert can have multiple domain names.  Typically used by a CDN provider who can provide use a single cert for multiple customers.
  • Wildcard Certs – i.e. * – used to cover a domain and all subdomains
  • SNI certs – similar to SAN certificates, however instead of requiring separate IP addresses for each domain, and requiring a shared cert to include all the different domain names, SNI includes an additional request into the TLS handshake protocol which allows web browsers that support it to be verify a cert even if each domain is hosted on the same IP.

Validation Methods

  • DV – domain validation – the worst type of validation, check with domain registrar which is easily hacked.
  • OV – organization validation – this is an upgrade from DV, as there is a government business registration check.
  • EV – extended validation – the Certificate Authority / Browser forum has ratified a long process that businesses have to go through to get their certificates validated.  This is the most secure type of cert.

Cipher Suites

  • A cipher suite is a set of algorithms that secure a TLS connection.
  • Each cipher suite is comprised of the following algorithms at least:
    • key exchange – to exchange keys in a TLS handshake
    • bulk encryption – to actually encrypt the main data being sent
    • message authentication (MAC) – authenticates message came from correct sender and wasn’t tampered with
  • When a TLS connection is started, a TLS Handshake occurs between the sender and receiver to coordinate what cipher suites to use
Screen Shot 2019-03-13 at 9.39.56 AM.png
cipher suites examples from Wikipedia

SSL / TLS 1.2 / TLS 1.3

  • SSL was old
  • TLS 1.2 is newer (2 RTT handshake)
  • TLS 1.3 is newest! (removes 1 RTT from handshake)