What Is an SSL Certificate?
When you visit a website starting with https:// (and see a padlock in your browser), an SSL/TLS certificate is at work. It enables two critical security functions:
- Encryption – all data between your browser and the server is scrambled, unreadable to anyone intercepting it
- Authentication – it proves the website is genuinely operated by who they claim to be
Despite the common name "SSL certificate," modern connections actually use TLS (Transport Layer Security), the successor to the deprecated SSL protocol. The term "SSL" is still widely used out of habit.
How HTTPS Works
When your browser connects to an HTTPS site, a TLS handshake takes place:
- Your browser says hello and lists supported cipher suites
- The server responds with its certificate and chosen cipher
- Your browser verifies the certificate against trusted Certificate Authorities (CAs)
- A session key is exchanged using asymmetric cryptography
- All subsequent communication is encrypted with the session key
This entire process takes milliseconds.
What Does a Certificate Contain?
An SSL certificate is a digital document containing:
| Field | Description |
|---|---|
| Subject | The domain name(s) the cert is valid for |
| Issuer | The Certificate Authority that signed it |
| Valid from / to | Validity period (typically 1 year) |
| Public key | Used for key exchange during TLS handshake |
| Serial number | Unique identifier |
| SAN (Subject Alternative Names) | Additional domains covered (wildcards: *.example.com) |
| Signature algorithm | e.g., SHA-256 with RSA |
Types of SSL Certificates
By Validation Level
| Type | Validation | Use Case |
|---|---|---|
| DV (Domain Validated) | Automated, proves domain ownership | Blogs, small sites |
| OV (Organization Validated) | Manual, verifies company identity | Business websites |
| EV (Extended Validation) | Rigorous, company shown in browser | Banks, e-commerce |
By Coverage
- Single domain – covers only
example.com - Wildcard – covers
*.example.com(all subdomains) - Multi-domain (SAN) – covers multiple unrelated domains
Free SSL Certificates
Let's Encrypt is a free, automated, open Certificate Authority that has made HTTPS universal. It's used by millions of websites and offers 90-day certificates that auto-renew.
Most web hosts now offer free Let's Encrypt certificates out of the box.
Certificate Chain of Trust
No certificate stands alone. The trust model works as follows:
Root CA (trusted by browsers)
└── Intermediate CA
└── Your website's certificateBrowsers come pre-installed with a list of trusted Root CAs (like DigiCert, GlobalSign, Let's Encrypt's root). They trust certificates signed by these authorities or their intermediates.
What Happens When a Certificate Expires?
If a certificate expires, browsers show a security warning blocking access to the site. Visitors see:
⚠️ Your connection is not private
This is why auto-renewal (as offered by Let's Encrypt / Certbot) is critical for production websites.
Checking a Certificate
You can inspect any website's SSL certificate:
- In browser: Click the padlock → "Certificate" → view details
- With our tool: Use our SSL Check Tool to see validity, issuer, expiry date, cipher strength and the full certificate chain
What to look for:
- ✅ Certificate is not expired
- ✅ Domain name matches exactly
- ✅ Issued by a trusted CA
- ✅ Strong key (RSA 2048+ or ECDSA 256+)
- ✅ Modern signature algorithm (SHA-256 or better)
HTTP vs HTTPS
| HTTP | HTTPS | |
|---|---|---|
| Encryption | None | TLS encryption |
| Data integrity | Unprotected | Tamper-proof |
| Authentication | None | Verified identity |
| SEO | Penalized by Google | Preferred |
| Browser indicator | "Not secure" | Padlock |
Since 2014, Google uses HTTPS as a ranking signal. In 2018, Chrome started marking all HTTP pages as "Not Secure." Today, there is no good reason to run a public website without HTTPS.
Last updated: April 2024