Saturday, March 17, 2012

What are website certificates?

Originally published 04/26/2011 at

Have you ever tried to get to a website and gotten the message, "the security certificate is invalid," or something similar? That message means something about the bit of code that verifies the identity of the site is off. It might mean that the certificate is fake and the site is bogus, or it might mean there is small error and the site is legit. How can you tell?

Site certificates are used when a web site needs to use encryption to protect data in transit. There are a number of organizations that issue security certificates, including governments such as the U.S. and China. In general certificates are issued for two years. The main exception to this is the certificate issuers, who have 10 year certificates.

To tell if a site uses certificates all you have to do is look for "https" in the address bar or the locked padlock in the upper right corner of the browser window - the lock symbol does not always appear.

When you visit a website that uses a certificate your browser will check for a few things in the certificate like the issuer, the address of the website and the issue and expiration dates. If any of these are not correct your browser will tell you that there is a problem with the certificate and give you the option of making a one time or permanent exception. You can, if you want, examine the certificate before deciding what to do.

So how do you decide if you should trust a certificate? Unless your browser reports a problem it all depends on how much you trust the issuer. If your browser reports a problem, there are some things you can check:


  • who issued the certificate - You should make sure that the issuer is a legitimate, trusted certificate authority (you may see names like VeriSign, thawte, or Entrust). Some organizations also have their own certificate authorities that they use to issue certificates to internal sites such as intranets.
  • who the certificate is issued to - The certificate should be issued to the organization who owns the web site. Do not trust the certificate if the name on the certificate does not match the name of the organization or person you expect.
  • expiration date - Most certificates are issued for one or two years. One exception is the certificate for the certificate authority itself, which, because of the amount of involvement necessary to distribute the information to all of the organizations who hold its certificates, may be ten years. Be wary of organizations with certificates that are valid for longer than two years or with certificates that have expired.


Site certificates are an integral part of web security, but they aren't perfect. You still have to be careful and watch what is happening in your browser.