Back to home page
A Web Server SSL Certificate is a digital certificate that authenticates the identity of a Web site to visiting browsers and encrypts information for the server via Secure Sockets Layer (SSL) technology. Encryption is the process of scrambling data into an undecipherable format ciphertext , which can only be returned to a readable format with the proper decryption key. All Starfield Web Server Certificates use 128-bit encryption.
A certificate serves as an electronic "passport" that establishes an online entity's credentials when doing business on the Web. When an Internet user attempts to send confidential information to a Web server, the user's browser will access the server's digital certificate and establish a secure connection.
A Web Server SSL Certificate contains the following information:
- The certificate holder's name,
- The certificate's serial number and expiration date,
- Copy of the certificate holder's public key,
- The digital signature of the certificate-issuing authority.
A Starfield Web Server SSL Certificate secures safe, easy and convenient Internet shopping. Once an Internet user enters a secure area by entering credit card information, e-mail address or other personal data, for example the shopping site's Web Server SSL Certificate enables the browser and Web server to build a secure, encrypted connection. The SSL "handshake" process, which establishes the secure session, takes place discreetly behind the scene without interrupting the consumer's shopping experience. A "padlock" icon in the browser's status bar and the "https://" prefix in the URL are the only visible indications of a secure session in progress.
By contrast, if a user attempts to submit personal information to an unsecured Web site (i.e., a site that is not protected with a valid SSL certificate), the browser's built-in security mechanism will trigger a warning to the user, reminding him/her that the site is not secure and that sensitive data might be intercepted by third parties. Faced with such a warning most Internet users likely will look elsewhere to make a purchase.
Starfield Technologies offers two types of Web Server SSL Certificates: High Assurance Web Server Certificates and Medium Assurance Web Server Certificates. The main difference between the certificate types lies in validation level and issuance speed. Your choice of certificate type should depend on the size and type of your business, your budget and whether or not you prefer (close-to) instant certificate issuance to a more thorough validation process. See below for a comparison between Starfield's Web Server Certificates
Certificate Comparison
| |
High Assurance Certificate — Corporate |
High Assurance Certificate — Small Business/Sole Proprietor |
Medium Assurance Certificate |
| Authentication Process |
Domain control verification, corporate identity, fraud screening |
Domain control verification, individual identity, fraud screening |
Domain control verification, fraud screening |
| Issuance Speed |
2-5 business days |
2-5 business days |
Immediate |
| Name in Certificate "O" Field |
Company name |
Requestor name |
Web site's common name |
| Encryption Level |
128 bit |
128 bit |
128 bit |
All Starfield Web Server Certificates provide 128-bit encryption.
SSL is the de facto standard for creating a secure, encrypted link between a
Web server and a browser. SSL thus ensures safe passage of sensitive information, such as credit card numbers, passwords, user names, etc. SSL is used
by e-commerce Web sites as a means to protect online transactions with their
customers. Once a secure connection has been established, SSL encrypts
information sent from your browser to the Web server. SSL utilizes the
public-and-private key encryption system.
An "https://" prefix in the URL and a key or padlock icon in the browser's
status bar indicates that a Web site is secure.
An SSL-encrypted session is generally commenced once a visitor signs in to a
secure area of a Web site, such as the checkout or account-management area of
an online store.
If you allow a certificate to expire, the certificate will be invalid and you
will no longer be able to secure transactions on your Web site. Starfield will
prompt you to renew your SSL certificate in due time. You can renew a
certificate for one or two years. Please note that a certificate can be renewed
up to 60 days prior to and 30 days following the expiration date only. The user's browser will display a warning upon entering the Web site area that was supposedly protected with your SSL certificate.
A certificate holder may request that his/her certificate is revoked i.e.,
deleted. A revoked certificate is instantly rendered invalid. Generally, a
certificate should only be revoked if the security of the holder's private key
has been compromised.
Consider revoking your certificate if any of the following situations occur:
-
Loss of your private key,
-
Your private key is compromised,
-
The certificate contains incorrect information.
A revoked certificate cannot be re-keyed, reissued or renewed.
Reissuing a certificate means to reproduce an existing certificate.
Certificates are generally reissued if the certificate holder has lost his/her
certificate.
Re-keying is the process of replacing an existing SSL certificate.
Specifically, re-keying entails:
-
Deleting/revoking an existing SSL certificate,
-
Creating a new public/private key pair,
-
Issuing a new SSL certificate.
The original certificate is automatically deactivated when the new one is issued.
Consider re-keying an SSL certificate if any of the following situations occur:
-
Loss of your private key,
-
Compromise of your private key,
-
Certificate does not work properly.
Note that the Distinguished Name (DN) in the replacement SSL certificate must
be identical to the Distinguished Name in the SSL Certificate that is being
re-keyed. In other words: The Common Name, Organization Name,
Locality, State/Province, and Country as entered in the
Certificate Signing Request (CSR) must be the same in both of the
certificates. Starfield certificate holders can have their certificates
re-keyed at no expense.
You can only request a re-key within 30 days of initial issuance of certificate. A maximum of two re-key requests is permitted within the 30-day period.
What is browser ubiquity? The term "browser ubiquity" describes an SSL certificate's
browser compatibility i.e., the extent to which the Certification Authority's root certificate is included in the Web browsers on the market. In other words: If the root certificate of the CA is present in the "trusted Root Certificates" store of the browser, then the SSL certificates issued by the CA are compatible with that browser. Thus, a high browser ubiquity means that most
existing browsers recognize a certificate, and that secure transactions thus
can take place on those browsers. In other words: The more browsers and browser
versions supported, the higher the level of browser ubiquity, and hence, the
more versatile the certificate is. Most SSL certificate services support all
major browsers.
Starfield Technologies' root certificate — the Valicert Class 2 Policy Validation Authority — is installed in the following browser versions:
- Internet Explorer 5.01 and higher
- AOL 5 and higher
- Netscape 4.7 and higher
- Opera 7.5 and higher.
- Safari on Mac OS X 10.3.4 or higher
- Mozilla (all versions)
- Firefox (all versions)
That equals 99% total browser ubiquity.
Users of older browser versions may receive a warning that the root certificate is not trusted. When presented with the warning those can simply install the root certificate. To do so, click "View Certificate." hen, when the certificate is displayed, click "Install Certificate." Alternatively, users of older browsers may download and install the Starfield root certificate directly from the Starfield repository.
High Assurance Web Server Certificates
If all required documentation is provided and Starfield successfully authenticates the submitted information, a High Assurance Web Server Certifiate generally can be issued within 2-5 hours of CSR submission.
Medium Assurance Web Server Certificates
If all required documentation is provided and Starfield successfully authenticates the submitted information, a Medium Assurance Web Server Certificate can be issued within minutes of CSR submission.
High Assurance Web Server Certificate — Corporate Authentication Process
Before issuing an SSL certificate, Starfield will authenticate that:
-
The certificate is being issued to an organization that is currently
registered with a government authority.
-
The requesting entity controls the domain in the request.
-
The individual requesting the certificate is associated with the organization
named in the certificate.
Note: Submitted information must successfully pass a fraud screening procedure before a Web Server Certificate can be issued.
High Assurance Web Server Certificate — Small Business/Sole Proprietor Authentication Process
Before issuing an SSL certificate, Starfield will authenticate that:
-
The individual who requested the certificate is who he/she claims to be.
-
The individual requesting the certificate controls the domain in the request.
-
The individual named in the certificate is the individual who requested the
certificate.
Note: Submitted information must successfully pass a fraud screening procedure before a Web Server Certificate can be issued.
Medium Assurance Web Server Certificate
Before issuing an SSL certificate, Starfield will authenticate that:
-
The requesting entity controls the domain in the request.
Note: Submitted information must successfully pass a fraud screening procedure before a Web Server Certificate can be issued.
Starfield's authentication process secures the highest level of trust. Only
through thorough validation of submitted data can the online customer rest
assured that online businesses that display SSL certificates indeed are to be
trusted.
If Starfield is unable to authenticate the submitted information, the
certificate request will be denied. In some cases, the requestor may be able to
fix the problem by providing additional documentation to enable authentication.
Starfield will notify you if additional documentation is needed.
Note: If Starfield — when processing a High Assurance Web Server Certificate Request — is unable to authenticate the existence/identity of the requesting entity, the requestor will have the option of aborting the validation process and instead have Starfield issue a Medium Assurance Web Server Certificate, which relies on validation of domain control, only. If the requestor declines this option, the certificate request will be denied.
To install your certificate, you will need the original private key, which was
created when you first generated your CSR. If you cannot find this key, or it
cannot be accessed, you cannot use the certificate and you will have to get a
new one. Click here for certificate-installation instructions for supported Web server software.
In order to purchase a digital certificate, you must first generate and submit
a Certificate Signing Request (CSR) to a Certification Authority (CA). The CSR
is generated with your Web server software, which will also create your
public/private key pair used for encrypting and decrypting secure transactions.
Click here for CSR-generation instructions for all supported server
software.
Please note that if you are applying for a hosting-integrated certificate (i.e., the domain to which you wish to apply the SSL certificate is hosted with one of Starfield's business partners — e.g., GoDaddy.com or Blue Razor Domains) then your hosting provider will generate and submit the CSR for you.
You can monitor the status and progress of your certificate request in the
certificate-management section of the Starfield SSL Web site.
If Starfield is unable to verify a certificate-requesting entity's domain
registration ownership and domain control via the Whois database generally because the
information in the Whois database cannot be found or does not match the
information in the certificate request , the requestor must instead provide a
Domain Authorization Letter from his/her domain registrar as documentation of
domain registration ownership. If Starfield successfully authenticates the letter, a
Starfield associate will manually verify domain control.
In order to obtain a Domain Authorization Letter you must request it from your
domain registrar. Consult your registrar for specific instructions.
If the domain in the certificate request is hosted with Starfield affiliate Domains By Proxy, log in to your Domains By Proxy account and request the Domain Authorization Letter. Domains By Proxy will prepare the letter within 48
hours of the request.
Once you have obtained the Domain Authorization Letter, please fax or scan-and-e-mail it to the
Certification Authority (i.e., Starfield Technologies) as proof of domain
registration ownership. A Starfield associate will review the letter upon reception.
In order to enhance the security of the Starfield (Valicert Class 2 Policy Validation Authority) Root certificate Starfield has created an intermediate certificate (Starfield Secure Certification Authority) from which SSL certificates are signed and issued. An intermediate certificate is a subordinate certificate issued by the trusted root specifically to issue end-entity server certificates. The result is a trust-chain that begins at the trusted root CA, through the intermediate and finally ending with the SSL certificate issued to you. Such certificates are called chained root certificates.
Creating certificates directly from the CA Root Certificate increases the risk of CA Root Certificate compromise, and if the CA Root Certificate is compromised, the entire trust infrastructure built by the SSL provider will fail. The usage of intermediate certificates for issuing SSL certificates to end entities, therefore, provides an added level of security. You must install the intermediate certificate in your Web server along with your issued SSL certificate.
Using intermediate certificates does not cause installation, performance or compatibility issues.
Once your Web Server Cerrtificate has been issued you will receive an e-mail message containing the issued certificate, along with Starfield's intermediate certificate and certificate-installation instructions for all supported Web servers. The certificates and installation instructions will be attached to the message in .ZIP format. Please download and unzip the attachment before proceeding to the installation process. The specific procedure through which the intermediate certificate is installed depends on the type of server software you are using. Please refer to the attached installation instructions for specific installation process for your certificate, including the intermediate certificate.
Starfield's intermediate certificate is also available from the Starfield repository.
Failure to properly install Starfield's intermediate certificate along with the issued Web Server Certificate means that the trusted-chain certificate cannot be established. This means that when visitors attempt to access your supposedly secure site they will be presented with a "Security Alert" that indicates that "The security certificate was issued by a company you have not chosen to trust
" Faced with such a warning, potential customers most likely will take their business elsewhere. Downloading and installing Starfield's intermediate certificate on your Web server will immediately fix this problem.
The intermediate certificate is attached to the e-mail message you'll receive upon certificate issuance. It is also available from the Starfield
repository.
The "Security Alert" (see illustration below) is generally triggered when a Web Server Certificate is invalid or if the Web site owner has failed to properly install the intermediate certificate.
No, a Starfield Web server certificate only secures the exact fully qualified domain entered as the Common Name in your certificate signing request. Thus if your certificate secures "www.domainnamegoeshere.com" it will not secure the domain "domainnamegoeshere.com." If a user types in "domainnamegoeshere.com" (without the "www") he/she will receive a warning about the validity of the certificate.
If you need to secure both domains you must request a Web server certificate for each of them. Alternatively, you can contact your domain registrar and request that your DNS records are set up that typing in "domainnamegoeshere.com" automatically resolves to "www.domainnamegoeshere.com."
There is no way to retrieve a lost password. If you lose your account password, you must contact Starfield in order to have a new password created. To do so, call Starfield's Technical Support at 480.505.8825; then fax in or scan-and-e-mail a government-issued photo ID (i.e., driver's license, state/federal/military ID card or passport). When Starfield has received the required documentation your password will be reset and the new one sent to you via e-mail. At that point, you may log in to your account and if so desired change the password via the "Edit Starfield Account" interface.
If any site element — an image, for example — is being queried from outside the secure layer, the padlock icon will not be displayed in the user's browser. To resolve this problem, make sure that all images and other site elements you want on the secure version of your Web site are being pulled from a secure folder located within the secure site.
|
Back to home page