So, What Is That Thing Called a "Certificate"?

Yesterday a friendly lady from accounting asked me what this invoice really is. It said "SSL Certificate". Is it some kind of software? One could argue in some way that it is (as opposed to hardware), but really it isn't an executable software program.

A certificate is some kind of security device. But security devices are abstract concepts, hard to explain in 2 minutes. If you know the answer you could explain that the certificate is there to enable encrypted SSL connections to our webserver. But that can be had even with a self-signed certificate.

So we could say it is there to assure our customers that our site is really belonging to our company. But given the procedure of getting the certificate, I would say that all it proves is that our site is our site. The prove for the certification company was that they send mail to an "official" address (like hostmaster@ or webmaster@) and that their automatic confirmation system called a number I'd given them on a web form. Any number, does not have to match any company records.

In the end what it does is that the funny error message about "something with 'not secure' and 'a certificate' is wrong" goes away for our customers. I should have told her that the money was for debugging.