SSL/TLS Certificates Explained: How HTTPS Keeps You Safe Online

Every time you see the padlock icon in your browser's address bar, a sophisticated cryptographic protocol is working behind the scenes to protect your data. SSL/TLS certificates are the backbone of secure internet communication, encrypting everything from online banking transactions to social media logins. Yet most people have only a vague understanding of what these certificates actually do and how they work.

In this comprehensive guide, we will demystify SSL/TLS certificates, explain the technology at a practical level, walk through the TLS handshake step by step, and help you understand what to look for when assessing a website's security. You can also check any website's certificate using our SSL Checker tool.

SSL vs. TLS: Clearing Up the Confusion

Before we go further, let us address the terminology. SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are often used interchangeably, but they are not the same thing:

• SSL 1.0 (1994): Never publicly released due to security flaws.
• SSL 2.0 (1995): First public release, now deprecated and considered insecure.
• SSL 3.0 (1996): Major improvement, but also deprecated since 2015 due to the POODLE vulnerability.
• TLS 1.0 (1999): First version of TLS, an evolution of SSL 3.0. Deprecated in 2020.
• TLS 1.1 (2006): Incremental improvement. Also deprecated in 2020.
• TLS 1.2 (2008): Widely used today. Considered secure when properly configured.
• TLS 1.3 (2018): The current standard. Faster and more secure than all previous versions.

When people say "SSL certificate," they almost always mean a certificate used with the TLS protocol. The correct term today is "TLS certificate," but "SSL certificate" persists in common usage. Throughout this article, we will use "TLS" when discussing the protocol and "SSL/TLS certificate" when referring to the certificates themselves.

What an SSL/TLS Certificate Contains

An SSL/TLS certificate is a digital document that binds a cryptographic key to an organization's identity. Here is what a certificate typically contains:

• Subject: The domain name (and optionally the organization name) the certificate was issued for
• Issuer: The Certificate Authority (CA) that issued the certificate
• Serial number: A unique identifier for the certificate
• Validity period: The "Not Before" and "Not After" dates between which the certificate is valid
• Public key: The server's public key used for encryption
• Signature algorithm: The cryptographic algorithm used to sign the certificate (e.g., SHA-256 with RSA)
• Subject Alternative Names (SANs): Additional domain names and subdomains covered by the certificate
• Key Usage and Extended Key Usage: What the certificate is authorized to do (e.g., server authentication, client authentication)

You can inspect all of these fields for any website using our SSL Checker tool, which retrieves and parses the certificate in real time.

How the TLS Handshake Works

The TLS handshake is the process by which a client (your browser) and a server establish a secure connection. Here is a step-by-step breakdown of the TLS 1.3 handshake, which is the current standard:

Step 1: Client Hello

Your browser sends a "Client Hello" message to the server, which includes:

• The TLS versions it supports
• A list of supported cipher suites (encryption algorithms)
• A random number (Client Random)
• Key share parameters for Diffie-Hellman key exchange

Step 2: Server Hello

The server responds with a "Server Hello" message containing:

• The chosen TLS version (ideally TLS 1.3)
• The selected cipher suite
• A random number (Server Random)
• The server's key share for Diffie-Hellman

Step 3: Server Certificate

The server sends its SSL/TLS certificate to the client. This is the certificate that proves the server's identity.

Step 4: Certificate Verification

Your browser verifies the certificate by:

1. Checking that the certificate is signed by a trusted Certificate Authority
2. Verifying the certificate has not expired
3. Confirming the domain name matches the certificate's subject or SANs
4. Checking that the certificate has not been revoked (using OCSP or CRL)

Step 5: Key Generation

Both the client and server independently compute the same session keys using the exchanged Diffie-Hellman parameters. These session keys will be used for symmetric encryption of the actual data transfer.

Step 6: Finished

Both sides send a "Finished" message encrypted with the new session keys, confirming the handshake is complete. All subsequent communication is encrypted.

TLS 1.3 improvement: This entire handshake takes just one round trip (1-RTT), compared to two round trips in TLS 1.2. This makes initial connections measurably faster. TLS 1.3 also supports 0-RTT resumption for repeat visits, where the handshake is completed with zero additional round trips, though this comes with some replay attack considerations.

Types of SSL/TLS Certificates

Domain Validation (DV) Certificates

DV certificates verify only that the applicant controls the domain. The CA confirms control through one of several methods: placing a specific file on the web server, adding a DNS record, or responding to an email sent to the domain's administrative contact.

• Issuance time: Minutes to hours
• Cost: Free (Let's Encrypt) to $50/year
• Browser indicator: Padlock icon
• Best for: Personal websites, blogs, small businesses

Organization Validation (OV) Certificates

OV certificates include verification of the organization's legal existence and identity. The CA checks business registration documents and may make phone calls to verify the applicant.

• Issuance time: 1-3 days
• Cost: $50-$200/year
• Browser indicator: Padlock icon (organization name visible in certificate details)
• Best for: Business websites, e-commerce sites

Extended Validation (EV) Certificates

EV certificates require the most rigorous verification process. The CA verifies the legal, physical, and operational existence of the organization through extensive documentation and verification calls.

• Issuance time: 1-2 weeks
• Cost: $100-$500/year
• Browser indicator: Padlock icon (organization name visible in certificate details; some older browsers showed a green address bar)
• Best for: Banks, financial institutions, large enterprises

Wildcard Certificates

A wildcard certificate secures a domain and all its first-level subdomains. For example, a wildcard certificate for "*.example.com" covers "www.example.com," "mail.example.com," "api.example.com," and so on. It does not cover multi-level subdomains like "sub.api.example.com."

Multi-Domain (SAN) Certificates

A single certificate that covers multiple different domain names using Subject Alternative Names. For example, one certificate could cover "example.com," "example.org," and "example.net."

Certificate Authorities and the Chain of Trust

Certificate Authorities form a hierarchical trust model:

1. Root CAs are pre-installed in your browser and operating system's trust store. These are organizations like DigiCert, Sectigo, GlobalSign, and Let's Encrypt (via ISRG Root).
2. Intermediate CAs are signed by root CAs. They issue certificates to end users. This layering protects root CAs; if an intermediate CA is compromised, the root CA can revoke it without invalidating all certificates.
3. End-Entity Certificates are the certificates installed on web servers. They are signed by intermediate CAs.

When your browser verifies a certificate, it builds a chain from the end-entity certificate through any intermediate certificates up to a trusted root. If every link in the chain is valid and trusted, the certificate is accepted.

You can inspect the full certificate chain for any website using our SSL Checker tool, which shows the end-entity certificate, intermediate certificates, and the root CA.

Common SSL/TLS Errors and What They Mean

ERR_CERT_DATE_INVALID

The certificate has expired. Certificates are typically valid for 90 days (Let's Encrypt) to 397 days (commercial CAs). This error means the site administrator has not renewed the certificate.

ERR_CERT_AUTHORITY_INVALID

The certificate was not issued by a trusted Certificate Authority. This could indicate a self-signed certificate, a missing intermediate certificate, or potentially a man-in-the-middle attack.

ERR_CERT_COMMON_NAME_INVALID

The domain name you are visiting does not match the domain names listed in the certificate. For example, the certificate is for "www.example.com" but you navigated to "example.com" without a matching SAN.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

The server and your browser could not agree on a TLS version or cipher suite. This usually means the server is running an outdated TLS configuration.

Mixed Content Warnings

The page loads over HTTPS but includes resources (images, scripts, stylesheets) served over HTTP. Modern browsers block active mixed content (scripts) and may warn about passive mixed content (images).

Let's Encrypt and Free SSL

Let's Encrypt, launched in 2016, revolutionized web security by providing free, automated SSL/TLS certificates. Before Let's Encrypt, the cost and complexity of obtaining certificates was a significant barrier, and many websites ran without HTTPS.

Today, Let's Encrypt issues certificates for over 300 million websites and has played a major role in pushing HTTPS adoption past 95% of web traffic. Their ACME (Automated Certificate Management Environment) protocol enables fully automated certificate issuance and renewal, meaning administrators can set it up once and certificates renew automatically every 60-90 days.

How to Check a Website's SSL/TLS Certificate

Using Your Browser

1. Click the padlock icon in the address bar
2. Click "Certificate" or "Connection is secure" and then "Certificate is valid"
3. You will see the certificate details including issuer, validity dates, and subject information

Using Our SSL Checker Tool

Our SSL Checker provides a comprehensive analysis including:

• Certificate validity dates and remaining time until expiration
• The complete certificate chain
• Supported TLS versions and cipher suites
• Security grade and configuration recommendations

Using Command Line

# View certificate details
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -text -noout

# Check certificate expiration
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -enddate -noout

You can also use our HTTP Headers tool to check security-related headers like Strict-Transport-Security (HSTS), which forces browsers to always use HTTPS.

Key Takeaways

• SSL/TLS certificates encrypt communication between browsers and servers using asymmetric and symmetric cryptography
• TLS 1.3 is the current standard, completing the handshake in just one round trip
• DV, OV, and EV certificates offer increasing levels of identity verification
• Certificate Authorities form a hierarchical chain of trust that browsers use to validate certificates
• Free certificates from Let's Encrypt have made HTTPS accessible to every website
• Always check for the padlock icon, but understand that it only confirms encryption, not that the site itself is trustworthy
• Use our SSL Checker to inspect any website's certificate and security configuration

Related Articles:

• DNS Records Explained: A Complete Guide to A, AAAA, MX, NS, TXT, and CNAME
• User Agent Strings Explained: What Websites Know About Your Browser
• Reverse DNS Explained: What PTR Records Are and Why They Matter