Public Key Infrastructure (PKI) is a technology, together with the relevant operational, registration, revocation and other certificate management procedures, assuring the security and protection of electronic communications and of data stored electronically through the use of certificates and private/public key pairs.

A Certificate is an electronic credential that is signed by a Certification Services Provider (CSP) certifying the relationship between a public key and the identity of the key holder. It also includes technical information used by software for tasks such as checking its validity.
A Qualified Certificate is a special kind of Certificate that:

1. contains a minimum set of elements that are specified in the European Directive (99/93/EC); and
2. is produced by a Qualified CSP which meets the specific technical and procedural requirements that are also spelled out in the Directive.

Generally speaking, these terms are used interchangeably to denote an issuer of digital certificates. Some commercial CSPs undergo audits (such as WebTrust) and have their root certificates enabled in software such as operating systems and browsers. Some CSPs acheive “Qualified” status, providing certain benefits to users of their certificates.

An Advanced Electronic Signature is an electronic signature which meets the following requirements:

1. it is uniquely linked to the signatory;
2. it is capable of identifying the signatory;
3. it is created using means that the signatory can maintain under his sole control; and
4. it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable.

The European Directive (99/93/EC) regulates the implementation and recognition of electronic signatures within the European Union. the Directive stipulates that a Qualified Electronic Signature (QES) shall:

1. Be an Advanced Electronic Signature as define in the Directive. Currently, only PKI digital signatures (using asymmetric cryptography) fulfil those requirements;
2. Be based on a Qualified Certificate (QC) issued by a suitably certified Certification Service Provider (CSP); and
3. Be created Secure Signature‐Creation Device (SSCD) that meets specific functional conditions which are also laid down in the Directive.

An EV SSL certificate is issued according to the Extended Validation Guidelines produced by the CA/B Forum which aim to verify the identity of the website owner, its exclusive use of the domain, and the authority of its personnel. Only certification authorities who are audited for compliance to these Guidelines may issue EV.

Most current-generation browsers recognise the value of EV by providing specific indicators (such as the “green bar” in IE7) and enhanced security reports that highlight the name and address of the website owner, as well as the CA that issued the certificate.

Other forms of SSL are commonly known as “domain validation” (in which control of the domain in established) or “organisation validation” (in which the Subject is identified). However, each CA followed different practises in issuing these certificates, which were all displayed in the same way by browsers regardless of the quality of the validation.

A Wildcard Certificate allows you to secure unlimited first-level sub-domains on a single domain name. For example, you can get a wildcard Certificate with the common name *.yourdomain.com and you can use it to secure all from one wildcard SSL certificate:

• www.yourdomain.com
• mail.yourdomain.com
• intranet.yourdomain.com
• secure.yourdomain.com
• servername.yourdomain.com

However, Wildcard Certificates do not work for multiple level subdomains. For example a Wildcard for *.yourdomain.com will not work on www.secure.yourdomain.com or server.name.yourdomain.com. The advantage of a Wildcard certificate is that you only need one certificate to secure multiple subdomains rather than buying and managing multiple certificates.

Be aware that some mobile devices don’t support wildcard certificates including Windows Mobile 5. For these devices you will need to use a SAN (Subject Alternative Name) Certificate. To secure different domain names or multiple level subdomains in one certificate you should consider a SAN (Subject Alternative Name) SSL Certificate.

Purchase Wildcard Certificates »

A SAN (Subject Alternative Name) certificate, also sometimes called a UC Certificate (for use with Microsoft Exchange 2007 and Microsoft Office Communications Server 2007). Allow one certificate to secure multiple different domain names by use of the Subject Alternative Name (SAN) fields in the certificate. This allows one certificate to secure multiple external domain names and sub-domains.
For example, one SAN SSL Certificate could secure cover the following:

• yourdomian.com
• mail.yourdomain.com
• autodiscover.yourdomain.com
• anotherdomain.com
• anotherdomain.net

A SAN Certificate (also called a UC Certificate) is required for some functions in MS Exchange Server 2007 and Office Communications Server 2007 as well as and Live Communications Server 2005.

Purchase SAN Certificates »

No. You only need to install the HydrantID Secure Site Seal once. Upon renewal, the validity period will be automatically updated on the seal’s security report.

Do not customize or modify the HydrantID Secure Site Seal. Any change violates the terms and conditions of the HydrantID Secure Site Seal agreement.

If you discover a HydrantID SSL or HydrantID Secure Site Seal that is being used incorrectly, please report it to HydrantID. Possible problems may include:

• Missing security information when clicked
• Mismatched information displaed by the seal and the SSL Certificate
• Possible use for phishing or other illegal activities

Please review the HydrantID Knowledge Base »