SSL/TLS certificates are the foundation of secure internet communication. When you see the padlock icon in your browser's address bar, it means the website is using SSL/TLS to encrypt your connection. This technology protects sensitive data like passwords, credit cards, and personal information from being intercepted.
What is SSL/TLS?
SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols that secure communications over networks. TLS is the modern successor to SSL, but the term "SSL" is still commonly used to refer to both.
SSL is technically deprecated. What we call "SSL certificates" today actually use TLS. SSL 3.0 was the last SSL version (1996), followed by TLS 1.0 (1999), 1.1 (2006), 1.2 (2008), and TLS 1.3 (2018). Modern websites should use TLS 1.2 or 1.3.
What SSL/TLS Provides
- Encryption: Data is encrypted so only the intended recipient can read it
- Authentication: Verifies you're connected to the legitimate website, not an impostor
- Integrity: Ensures data hasn't been modified during transmission
HTTP vs HTTPS
| Aspect | HTTP | HTTPS |
|---|---|---|
| Port | 80 | 443 |
| Encryption | None | TLS encrypted |
| URL prefix | http:// |
https:// |
| Browser indicator | "Not Secure" warning | Padlock icon |
How the Handshake Works
When you connect to an HTTPS website, a "TLS handshake" occurs in milliseconds:
- Client Hello: Your browser sends supported TLS versions and cipher suites
- Server Hello: The server responds with chosen protocol and cipher
- Certificate: Server sends its SSL certificate
- Verification: Browser verifies the certificate is valid and trusted
- Key Exchange: Client and server establish session encryption keys
- Secure Connection: All subsequent data is encrypted
Client Server
| |
|------- Client Hello ------------>|
| |
|<------ Server Hello -------------|
|<------ Certificate --------------|
| |
|------- Key Exchange ------------>|
| |
|<====== Encrypted Data ==========>|What's in a Certificate?
An SSL certificate contains:
- Domain name(s): Which domains the certificate is valid for
- Public key: Used to encrypt data sent to the server
- Issuer: The Certificate Authority that issued it
- Validity period: When the certificate expires
- Signature: Cryptographic proof from the issuing CA
Certificate Types
By Validation Level
| Type | Validation | Best For |
|---|---|---|
| Domain Validation (DV) | Proves domain ownership only | Blogs, personal sites |
| Organization Validation (OV) | Verifies organization identity | Business websites |
| Extended Validation (EV) | Rigorous identity verification | Banks, e-commerce |
For encryption purposes, a free DV certificate (like those from Let's Encrypt) provides the same level of security as expensive EV certificates. EV certificates mainly provide additional identity verification, which is less important than it once was.
By Coverage
| Type | Covers | Example |
|---|---|---|
| Single Domain | One specific domain | example.com |
| Wildcard | Domain and all subdomains | *.example.com |
| Multi-Domain (SAN) | Multiple specific domains | example.com, example.org |
Verifying Certificates
In Your Browser
Click the padlock icon in your browser's address bar to view certificate details:
- Issued to: The domain(s) the certificate covers
- Issued by: The Certificate Authority
- Valid from/to: The certificate's validity period
- Fingerprint: Unique identifier for the certificate
Using Command Line
# View certificate details
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | \
openssl x509 -noout -text
# Check certificate expiration
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | \
openssl x509 -noout -dates
# View certificate chain
openssl s_client -connect example.com:443 -servername example.com -showcertsWhat to Look For
- Valid dates: Certificate should not be expired
- Correct domain: Should match the site you're visiting
- Trusted issuer: Should be from a recognized Certificate Authority
- Complete chain: Intermediate certificates should be properly configured
Common SSL Issues
Certificate Errors
| Error | Cause | Solution |
|---|---|---|
NET::ERR_CERT_DATE_INVALID |
Certificate expired | Site owner must renew certificate |
NET::ERR_CERT_COMMON_NAME_INVALID |
Domain mismatch | Certificate doesn't cover this domain |
NET::ERR_CERT_AUTHORITY_INVALID |
Untrusted issuer | Self-signed or unknown CA |
ERR_SSL_PROTOCOL_ERROR |
Protocol mismatch | Server may use outdated TLS version |
Certificate errors can indicate a man-in-the-middle attack. Never enter sensitive information on a site with certificate errors. If you see warnings on a site you trust, contact them directly (not through links on the page) to report the issue.
Mixed Content
Mixed content occurs when an HTTPS page loads resources over HTTP:
- Passive mixed content: Images, videos (less severe)
- Active mixed content: Scripts, iframes (browsers block these)
Getting a Certificate
Options for obtaining SSL certificates:
- Let's Encrypt: Free, automated DV certificates (most popular)
- Commercial CAs: DigiCert, Comodo, GlobalSign for OV/EV certs
- Cloud providers: AWS, Cloudflare, etc. offer free certificates
Check a Site's SSL Configuration
Verify SSL certificates and security configuration for any domain.
Analyze Domain