Passwordstate and SSL Certificates Explained

A Secure Sockets Layer Certificate, or SSL Certificate is a digital certificate that authenticates a website’s identity and enables an encrypted connection.  It’s a security protocol that creates an encrypted link between a webserver and a web browser.  SSL certificates are used by an organization to ensure secure and private communication between their website and a customer’s or employee’s web browser. 

How do you know if you’re using an SSL connection?  You’ll see a padlock icon next to the URL in the address bar followed by HTTPS (HyperText Transfer Protocol Secure).  Think of it as a means of preventing those nasty little Cyber Criminals from eavesdropping in on your communication, or worse, modifying information that’s being exchanged between the webserver and your web browser.

Those in the know will tell you that TLS (Transport Layer Security) is the current protocol that’s used but the industry still refers to the protocol as SSL (like Hoover is used for vacuum cleaner and Band-Aid for sticky plasters).

Passwordstate uses an SSL Certificate (TLS 1.2) to ensure the communication between your Passwordstate instance and your web browser or native mobile app is secure, encrypted and can’t be eavesdropped.

How do SSL Certificates Work?

SSL Certificates ensure the data transferred between Passwordstate and your web browser is impossible to read. It does this by using encryption to scramble data in transit.  A high-level overview on how the hand-shaking process works looks a little like this;

Any data that is exchanged between the Passwordstate webserver and your web browser is now sent over this encrypted and secure SSL session.

SSL Certificate Best Practices

SSL certificates should only be acquired from a trusted source and should match the URL of your Passwordstate website.  All SSL certificates have an expiry date.  This date can range from one, to many years, and it’s a good idea to track the expiry date so you can renew the certificate before it expires (Hint: you can do this in Passwordstate with the Expiry Date field and What passwords are expiring soon? report).

There are three types of SSL certificates that you can use for your Passwordstate website.  Each of these has its advantages and disadvantages.  There are Self-Signed SSL Certificates, Internal CA (Certificate Authority) SSL Certificates, and Online CA SSL Certificates.  The high-level advantages and disadvantages are shown in the table below;

Certificate TypeAdvantagesDisadvantages
Self-Signed SSL CertificateEasy to create with PowerShell as requiredBrowsers don’t trust them by default
 It’s freeRequires manual effort to for each web browser to trust
  Wild card not available with this type of certificate
Internal CA SSL CertificatesBetter securityRequires a configuration change to your DC
 It’s freeBrowsers will complain when accessing Passwordstate outside of your own network, or from a non domain joined machine
 Browsers will not complain if accessing Passwordstate from a domain joined machine 
 You can use a wildcard certificate to support multiple URLs 
Online CA SSL CertificatesMost secure certificate that all browsers will acceptIs more costly
 Best end user experience for all scenarios 

When to Use Each Type of Certificate

Self-Signed SSL Certificate:

When installing Passwordstate for the first time the default URL chosen by the installer is the name of your server.  While you have the option to change this, the installer process will create a Self-Signed SSL certificate for you that matches this URL.  This SSL certificate is recommended if you’re:

  • A small business and don’t have many users,
  • Don’t intend on accessing Passwordstate outside of your own network,
  • Would prefer not to spend additional money on a certificate,
  • Are okay with installing a certificate for your web browsers as a once off process for each machine.

Certificate Issued from an internal CA:

Internal CA generated SSL Certificates provide for better security and end user experience.  This type of SSL certificate is recommended if you’re:

  • Installing Passwordstate on an Active Directory domain joined server,
  • Already have an internal Certificate Authority setup,
  • Not anticipating the need to access Passwordstate from outside of your own network, or from a non Domain joined machine.

Certificate Issued from an Online CA:

There are multiple Certificate Authorities online that you can purchase your SSL Certificate from.  These certificates come either with a static DNS Name or as a Wildcard certificate.  Click Studios recommends you do your research and purchase from a Certificate Authority that is suitable for you where:

  • You’re are a big or small company, and intend on accessing Passwordstate from anywhere,
  • Want to access Passwordstate from a non domain joined machine,
  • Intend to use the certificate for other Passwordstate features, such as the Browser Based Gateway, the Self Destruct Site and the App Server and these are installed on different web servers,
  • You’re are an MSP, and intend on using the Browser Based Gateway with multiple Remote Sites across the internet.  In this case a wildcard certificate will be required to allow RDP and SSH sessions to remote networks.

Additional Information

Links related to Self-Signed SSL Certificates:

Links related to Internal CA Issued Certificates:

Links related to Online CA Certificates:

We hope this information helps you to understand your options for SSL Certificates and where each of the different types are appropriate.  Have Feedback? We’d love to hear it and you can send it through to