Passwordstate and SSL Certificates Explained

A Secure Sockets Layer Certificate, or SSL Certificate is a digital certificate that authenticates a website’s identity and enables an encrypted connection.  It’s a security protocol that creates an encrypted link between a webserver and a web browser.  SSL certificates are used by an organization to ensure secure and private communication between their website and a customer’s or employee’s web browser. 

How do you know if you’re using an SSL connection?  You’ll see a padlock icon next to the URL in the address bar followed by HTTPS (HyperText Transfer Protocol Secure).  Think of it as a means of preventing those nasty little Cyber Criminals from eavesdropping in on your communication, or worse, modifying information that’s being exchanged between the webserver and your web browser.

Those in the know will tell you that TLS (Transport Layer Security) is the current protocol that’s used but the industry still refers to the protocol as SSL (like Hoover is used for vacuum cleaner and Band-Aid for sticky plasters).

Passwordstate uses an SSL Certificate (TLS 1.2) to ensure the communication between your Passwordstate instance and your web browser or native mobile app is secure, encrypted and can’t be eavesdropped.

How do SSL Certificates Work?

SSL Certificates ensure the data transferred between Passwordstate and your web browser is impossible to read. It does this by using encryption to scramble data in transit.  A high-level overview on how the hand-shaking process works looks a little like this;

Any data that is exchanged between the Passwordstate webserver and your web browser is now sent over this encrypted and secure SSL session.

SSL Certificate Best Practices

SSL certificates should only be acquired from a trusted source and should match the URL of your Passwordstate website.  All SSL certificates have an expiry date.  This date can range from one, to many years, and it’s a good idea to track the expiry date so you can renew the certificate before it expires (Hint: you can do this in Passwordstate with the Expiry Date field and What passwords are expiring soon? report).

There are three types of SSL certificates that you can use for your Passwordstate website.  Each of these has its advantages and disadvantages.  There are Self-Signed SSL Certificates, Internal CA (Certificate Authority) SSL Certificates, and Online CA SSL Certificates.  The high-level advantages and disadvantages are shown in the table below;

Certificate TypeAdvantagesDisadvantages
Self-Signed SSL CertificateEasy to create with PowerShell as requiredBrowsers don’t trust them by default
 It’s freeRequires manual effort to for each web browser to trust
  Wild card not available with this type of certificate
Internal CA SSL CertificatesBetter securityRequires a configuration change to your DC
 It’s freeBrowsers will complain when accessing Passwordstate outside of your own network, or from a non domain joined machine
 Browsers will not complain if accessing Passwordstate from a domain joined machine 
 You can use a wildcard certificate to support multiple URLs 
Online CA SSL CertificatesMost secure certificate that all browsers will acceptIs more costly
 Best end user experience for all scenarios 

When to Use Each Type of Certificate

Self-Signed SSL Certificate:

When installing Passwordstate for the first time the default URL chosen by the installer is the name of your server.  While you have the option to change this, the installer process will create a Self-Signed SSL certificate for you that matches this URL.  This SSL certificate is recommended if you’re:

  • A small business and don’t have many users,
  • Don’t intend on accessing Passwordstate outside of your own network,
  • Would prefer not to spend additional money on a certificate,
  • Are okay with installing a certificate for your web browsers as a once off process for each machine.

Certificate Issued from an internal CA:

Internal CA generated SSL Certificates provide for better security and end user experience.  This type of SSL certificate is recommended if you’re:

  • Installing Passwordstate on an Active Directory domain joined server,
  • Already have an internal Certificate Authority setup,
  • Not anticipating the need to access Passwordstate from outside of your own network, or from a non Domain joined machine.

Certificate Issued from an Online CA:

There are multiple Certificate Authorities online that you can purchase your SSL Certificate from.  These certificates come either with a static DNS Name or as a Wildcard certificate.  Click Studios recommends you do your research and purchase from a Certificate Authority that is suitable for you where:

  • You’re are a big or small company, and intend on accessing Passwordstate from anywhere,
  • Want to access Passwordstate from a non domain joined machine,
  • Intend to use the certificate for other Passwordstate features, such as the Browser Based Gateway, the Self Destruct Site and the App Server and these are installed on different web servers,
  • You’re are an MSP, and intend on using the Browser Based Gateway with multiple Remote Sites across the internet.  In this case a wildcard certificate will be required to allow RDP and SSH sessions to remote networks.

Additional Information

Links related to Self-Signed SSL Certificates:

Links related to Internal CA Issued Certificates:

Links related to Online CA Certificates:

We hope this information helps you to understand your options for SSL Certificates and where each of the different types are appropriate.  Have Feedback? We’d love to hear it and you can send it through to

Password Lists Linked to Templates

Passwordstate provides the capability of storing both Shared Password Lists and Private Password Lists.  Shared Password Lists, as implied can be used to share either the entire contents of the list, or just individual Password Records.  … [Continue reading]

Expert Insights Best-Of Cybersecurity Awards: Click Studios Awarded Again!

Expert Insights is an online publication with editorial and technical teams in the UK and US covering cybersecurity and cloud-based business technologies. They are the leading cybersecurity resource and review platform, helping users research … [Continue reading]

Mobile App Settings

We recently published a blog on Reporting on Mobile Client Usage.  Since then, a number of the Technical Support team members have asked what we’ve published on how to configure the Mobile App.  Looks like there isn’t much outside of the … [Continue reading]

Reporting on Mobile Client Usage

The Passwordstate native Mobile Client apps for Android and iOS were introduced in V9 Build 9000.  These replaced the old Mobile Client support providing remote access to managed credentials while away from your normal place of work … [Continue reading]

How to Rotate Your Encryption Keys

Click Studios uses Symmetric Data Encryption within Passwordstate to protect your sensitive data.   It does this using 256bit AES (Advanced Encryption Standard) data encryption to encrypt (cipher) and decrypt (decipher) information. At a … [Continue reading]

Guide to set up Folder Structure and Permissions

You’ve decided that managing your organization’s passwords is essential.  You’ve selected a Password Management System that has the level of security you need, while retaining the flexibility to meet individual stakeholder’s requirements.  … [Continue reading]

Troubleshoot HA Polling Issues

We’ve recently had a few technical support calls querying how to diagnose High Availability issues.  To make things easier, with identifying the health of all Passwordstate Servers, we included the health status under the Authorized Web Servers … [Continue reading]

Where Can You Upload Documents in Passwordstate?

One of the key remits, or areas for active consideration for our development team, is the flexibility of use of Passwordstate. Since its first release, way back in August 2004, our developers have continually looked at how they can add flexibility … [Continue reading]

Self Destruct Messaging Implementations

Passwordstate includes a Self Destruct Messaging portal as part of the core software.  Self Destruct Messaging typically allows you to send emails or messages within an application, containing content considered to be highly confidential, to be … [Continue reading]