In the process of ssl deployment, the application and configuration of SSL certificate is the most important link of SSL. Deciding what kind of SSL certificate to buy is not only a technical issue, but also involves a series of issues such as the company's strategy, service awareness and management. This paper will discuss the selection of server certificate from the technical level. There is a misunderstanding that the higher the encryption number of SSL certificates on the market at present, the better. There are two encryption bits in the encrypted link involved in SSL protocol. One is the number of certificate public key bits, which are divided into 5 12 bits, 1024 bits and 2048 bits, and the mainstream is 1024 bits. 1. Session keys (symmetric keys) are divided into 40 bits, 128 bits and 256 bits, and the mainstream is 128 bits. Public key algorithm is mainly used to encrypt session keys. After the SSL session is established, the session key is used to encrypt the session content. The length of the session key is related to the key length supported by the browser. Microsoft's IE series browsers have 40 bits and 128 bits. VeriSign SSL certificate adopts SGC technology, which can realize 128-bit forced encryption of 40-bit IE browser. Other dependent browsers, such as firefox, can support 28 bits. Under the current technical level, the length of mainstream keys is quite difficult to crack, and violent cracking takes a long time. However, because the SSL session key is one-time and has a short validity period, there is basically no possibility of being violently cracked. The encryption process needs to consume server resources, and when the key length increases, it will bring greater performance load. On the premise that the mainstream key length can provide sufficient security, a longer key length can only bring invalid load increase. At present, there are many disputes about the length of certificate chain in SSL certificate in the market. Some people think that VerSign certificate chain is Level 2 in the United States and Level 3 in China, and the verification process of Level 3 certificate chain takes a long time. In fact, there are many reasons for the length of certificate chain, which involve different security levels and certificate issuing strategies, and cannot be generalized. The longer the certificate chain, the longer the verification time, but the performance is almost the same when the length is less than four levels. For example, the current VeriSign Extended Authentication (EV)SSL certificate has two certificate chains, one is Level 3, which is suitable for newer browsers such as IE7, and the other is Level 4, which is suitable for older browsers such as IE6 under windows 2003. The secondary structure of issuing certificates directly by the root CA requires that the root certificate be online when issuing certificates. If the service is saturated, the root certificate needs to be online all the time, which does not conform to the key security management principle of general CA security and greatly increases the security risk of the root key. So this kind of certificate is no longer the mainstream certificate type.