If you are interested in gaining a practical understanding of how to secure your site with a SSL certificate, downloading our Trial Certificate is a great way to get started. This certificate will give you an opportunity to experience the certificate installation process as well as determine your required server configuration. test a SSL certificate on Your site today 21day free trial

The Starter PKI program from thawte has been developed for companies with a need to secure multiple domains or host names. This guide will introduce you to the Program by explaining how it works and its benefits. We will also point you to a dummy company on our web site where you can ?test drive? the Program. Finally, you'll find out how to enroll and the costs involved.

If you are currently using a non-Thawte or non-VeriSign SSL certificate, make sure you check out the special discounts which are available to you. (Please note that this offer excludes VeriSign customers.)

The thawte SGC SuperCert in action

thawte has been issued a license by the US Bureau of Export Administration (BXA), allowing the issue of certificates that enable 128-bit SSL sessions in older browsers* that are usually restricted to 40/56-bit encryption. The difference between SGC SuperCerts and normal SSL Web Server certificates is that whenever one of these older browsers connects to a site that has a SGC SuperCert installed, the SSL session will be automatically 'stepped-up' to 128-bits, instead of being negotiated at an encryption level that the browser has been defaulted to (40/56 bits).

* (IE 4.X or Netscape 4.06 and later)

Certificate Signing Request (CSR) File

The process of applying for a thawte signed digital certificate begins with the generation and submission of a Certificate Signing Request (CSR) file. thawte then verifies your identity, and when satisfied, signs that request file, using the trusted thawte CA root key, and issues it to you as your certificate.

Valid certificate

When we issue your certificate it will contain two critical pieces of information. The first is the "Distinguished Name", which is a set of values that describes your country, state or province, city or town, organization, division within that organization and your web server domain name. The second is your public key.

Keys

Session keys are made up of a public key (issued to you with your SGC SuperCert) and randomly selected private keys created by each browser when it connects to your server. Session keys are used to encrypt and decrypt data (transmitted to and from the server) after the initial browser/server 'handshake'. (A session key is not your Server Certificate key, which is either 1024-bit, or 512-bit).

Compatible web servers

All browsers from IE 4.x or Netscape 4.06 and later should work well with the SGC SuperCert. Please note that the SGC SuperCert is chained therefore please check that your web server supports Certificate chaining.

Upgrading Browsers

Those running 3.x generation browsers can upgrade their security to the same level as that supported by 4.0 generation browsers. The process takes about 2 minutes and ensures that your browser works with the tens of thousands of thawte certified secure servers out there. You only need to do this once for your browser to be updated permanently!

There are many Certification Authorities (CAs) currently offering digital certificates, each with various certificate products. For the first time user of digital certificates it is often difficult to make an informed purchase decision. Equally, experienced users may not have a full understanding of certain finer points relating to the products that are available on the market.

We aim to provide impartial advice on how to approach the purchase of SSL certificates while at the same time clarifying certain issues relating to the product and industry which are often misunderstood. Our hope is that you find the information provided of assistance in making the right purchase for your business and security needs.

1. When do you need to use a digital certificate?

Securing transmission of financial information in ecommerce is currently the major application of SSL certificates. However, with incidence of identity theft on the rise, protection of personally identifiable information is becoming ever more important. This category of data would include identity and social security numbers, as well as e-mail addresses.

So, if you are handling financial transactions on your web site, there is no question that SSL certificates are required. If you are managing sensitive customer data, the use of SSL certificates is worth serious consideration – especially if customer/member security and privacy is high on your list of priorities.

2. Why use a digital certificate? p>There are two main reasons why you should make use of a digital certificate:

1. To prove your company's (or your server's) identity online and in so doing create a sense of trust and confidence in using your web site.
2. To offer protection of the data submitted to your web site (or between servers) through the use of encryption. Should any information be intercepted, it will be unintelligible without the unique key used for decryption.

When evaluating a certificate product, make sure it delivers on each of these requirements.

3. What level of authentication does the certificate offer?

In securing your web site with a digital certificate, your main aim is to provide proof of your online identity and in so doing establish a relationship of trust with those with whom you wish to interact online. This is where authentication comes into play as the most important element of a digital certificate.

Authentication provides users with proof that:

1. your company is a bona fide real world company.
2. they are connecting to the correct server

A certificate's level of authentication may be seen as an indication of its quality – the higher the level of authentication provided, the greater the quality of the certificate. It is therefore important to understand that the various digital certificates available each differ in level of authentication depending on the issuing CA or even the specific product.

Some CAs perform only very basic authentication prior to issuing a certificate while others conduct extensive checks to ensure the identity of the applying organization. The following are the various authentication checks that are performed by CAs:

• Domain lookup to confirm that applying company owns domain.
• Check existence of company to confirm that it is a legally registered organization.
• Verification of identity of individual requesting certificate to confirm that they are an authorized representative.

All CAs performs one or more of these authentication checks. The result is a range of products of greatly differing levels of quality. It is important to note that the more authentication checks performed the better the quality of the certificate. So make sure you determine exactly what authentication checks are performed before purchasing.

4. What does it mean to be WebTrust compliant?

A number of CAs have achieved WebTrust compliance mainly as it is now a Microsoft requirement that a CA complete a WebTrust for Certification Authorities audit, in order to have their root certificates included in Windows XP / Internet Explorer. But it is important to understand exactly what this certification implies. WebTrust does not set standards for CAs, nor does it monitor or regulate any existing standards.

WebTrust compliance tells you nothing about the quality of the authentication on offer – it merely confirms that the CA in question adheres to their own stated policies and procedures for authentication. What this means is that WebTrust compliance unfortunately does not provide a useful basis for comparison between CAs.

5. What is the strength of a certificate? (what is SGC technology)

The encryption strength of a digital certificate is determined by the level of encryption supported by the browser used to connect to a web site and the server where the web site resides. This means that users may connect at 40-bit, 56-bit or 128-bit depending on the browser version they are using.

Most digital certificates function in this way – providing encryption at a strength supported by the browser and server. It is important to understand this distinction as many CAs promote their certificates as 128-bit when in fact they will support sessions of varying encryption strength (128-bit being the strongest possible level of encryption).

In the past, legislation of the United States government prevented the export of 128-bit encryption technology. The result of this was the creation of the so called “export” browser versions which were restricted to 40-bit and 56-bit encryption capabilities. These browsers were distributed outside of the United States for many years and were even downloaded by US based users. In 1997, the US government repealed its ban on 128-bit encryption. Today however, there are still significant numbers of export version browsers in use, mainly internationally but also in the United States.

Digital certificates have been developed that provide 128-bit encryption for browsers which are defaulted to 40-bit or 56-bit encryption – the so called “export” browser versions which include IE 5.01 and Netscape 4.7x and later . These certificates include technology known as Server Gated Cryptography (SGC) which automatically steps-up these browsers to the 128-bit encryption level. Only a handful of CAs supply these certificates, so if you require the 128-bit encryption step-up capability, make sure you ask for SGC technology.

6. What is the product for you?

There are various factors which will influence your choice of digital certificate.

Firstly, you need to consider the sensitivity of data that is to be secured. It makes sense that highly confidential personal and financial as well as critical business information demand the highest levels of authentication and encryption. Alternatively, some may argue that there are other applications that do not require these stringent security measures. The bottom line is that you need to categorize the various types of data you manage according to their importance to your business and select a digital certificate for the task at hand.

In certain countries there is now legislation which governs the level of encryption required for data protection. This type of legislation is normally developed for data intensive industries where security and privacy is a major concern such as financial services or health care. Typically, companies are required to guarantee that they protect data with 128-bit encryption – a requirement which determines the use of a specific type of digital certificate. In this case digital certificates which are able to step-up to 128-bit encryption are the product of choice.

Geographic location of your customer/user base is also an important consideration. The reason for this is that certain older browser versions which still exist in significant numbers internationally do not automatically support 128-bit encryption, only 40-bit and 56-bit. Typically, these are the so-called “export” browsers which where made available outside of the United States for many years. It is also worth noting that users in the United States have also downloaded these export browsers from non-US websites. So, if you are conducting business online outside of the US and 128-bit encryption is important to you, step-up SGC technology is essential.

Lastly, it is worthwhile considering the duration of the project in question. Most certificates are available in one or two-year versions (or longer). If your project is planned for a longer duration, it makes sense to consider the two-year certificate option as this not only allows you to benefit from the cost savings frequently offered on these products, but also provides the added benefit of increasing convenience by reducing the frequency of engineering and admin work associated with installation during certificate renewal.

7. Can you get the after sales technical support you need?

Depending on your level of experience in working with digital certificates, you may require assistance at various stages throughout the life cycle of the product, from the initial request for a certificate to installation, renewal and possible re-issuance of a certificate if required.

Be sure to assess the support capabilities of the CAs you consider. Try to look beyond the initial sales process as it is the more unforeseen circumstances such as server migration where competent support is always the most valuable.

8. What is the track-record of the CA?

In business it is always sensible to purchase from proven, established vendors – even more so in today's high tech industry. This is especially important when purchasing security products such as digital certificates where using a trusted CA is essential for doing effective business online.

The CAs track record may provide you with some answers to other questions discussed here. For instance, the longer a CA has been in business, the more experienced and better developed their support infrastructure is likely to be.

9. Are you dealing with a root CA?

There are two types of CAs – Root CAs and Chained CAs. Root CAs have the roots for their certificates installed in the major browsers, while Chained CAs issue their certificates off a Root CAs root.

The reason for the existence of Chained CAs relates to the issue of certificate compatibility with the various browser types and versions currently used. CAs which have been in existence for longer period of time have been able to include their roots in each browser type and version that has been released over the years. Subsequently, their certificate-browser compatibility is extremely high. Newer CAs are not able to achieve this level of compatibility as they are only able to include their roots in recent browser releases and the only way for them to obtain the desired level of compatibility is to issue certificates signed with the root of a CA which already has the desired level of compatibility (this is known as “Chaining”).

The main drawback of using a Chained CAs is that they do not own, and therefore, do not control the root used to issue their certificates. From a certificate customers' perspective this may lead to potential problems as their certificates are vulnerable and may be rendered invalid should the terms of the chaining agreement break down or be affected by a change in ownership of the root.

Some Scenarios

You have a global export business that sells high value items via the Web Appropriate digital certificate: thawte's SGC SuperCert

You have a global communications business that transmits a lot of sensitive information via the Web Appropriate digital certificate: thawte's SGC SuperCert

You have a US focused business that sells low to medium value items via the Web Appropriate digital certificate: thawte's SSL Web Server certificate

You have a US focused business that sells high value items via the Web Appropriate digital certificate: thawte's SGC SuperCert*

You have a US-based company servicing the healthcare industry via the Web Appropriate digital certificate: thawte's SGC SuperCert*

*As there are still a small number of 'export' browsers active within the US itself, it would be advised to be secure with a SGC SuperCert if high value items are being sold via a web site.

thawte is now able to provide SSL certificates* to customers using Internationalized domain names.

The Internet is a tool used by more than 500 million people around the world. As the Internet grows, more and more users will prefer languages other than English. International Domain Names (IDNs) provide a convenient mechanism for users to access Websites in their preferred language. This need is reflected by the growing number of customers purchasing Internationalized Domain Names (IDNs).

thawte has always been focused on serving the International community by offering multilingual customer support in over 30 languages. thawte has now invested in aligning it’s systems to support this International strategy by enhancing these systems to be able to recognize and issue certificates that contain local language characters in all certificate fields.

With these enhancements, thawte will now also be able to issue certificates to Internationalized Domain Names.

What this means is that you can now buy an SSL123, SSL Web Server or SGC SuperCert certificate* to secure the website you have hosted on an Internationalized Domain Name. An example of the certificate content for a certificate for an IDN is shown below.

Not only will your secured Internationalized Domain content be reflected in the certificate details, but your thawte Trusted Site Seal will also reflect your local language content.