What is an SSL Certificate?
An SSL certificate (Secure Sockets Layer certificate) is a digital certificate that authenticates a website's identity and establishes an encrypted connection between a web server and browser. Although SSL has been superseded by TLS (Transport Layer Security), the term "SSL certificate" remains widely used. These certificates are essential for HTTPS websites, displaying the padlock icon that signals security to visitors.
How SSL Certificates Work
The Handshake Process
1. Browser requests secure connection
2. Server sends SSL certificate + public key
3. Browser verifies certificate with CA
4. Browser creates session key, encrypts with public key
5. Server decrypts with private key
6. Encrypted session established
Certificate Types
By Validation Level
| Type | Validation | Time | Trust Level | Use Case |
|---|---|---|---|---|
| DV (Domain) | Domain ownership only | Minutes | Basic | Blogs, small sites |
| OV (Organization) | Business verification | 1-3 days | Medium | Business websites |
| EV (Extended) | Extensive verification | 1-2 weeks | Highest | Banks, e-commerce |
By Coverage
| Type | Covers | Example |
|---|---|---|
| Single domain | One domain | example.com |
| Wildcard | Domain + all subdomains | *.example.com |
| Multi-domain (SAN) | Multiple specific domains | example.com, example.org |
Certificate Authorities (CAs)
Trusted entities that issue certificates:
- Commercial: DigiCert, Sectigo, GlobalSign
- Free: Let's Encrypt, ZeroSSL
- Cloud providers: AWS Certificate Manager, Cloudflare
Obtaining an SSL Certificate
Free Options (Let's Encrypt)
# Using Certbot
sudo certbot --nginx -d example.com -d www.example.com
# Auto-renewal
sudo certbot renew --dry-run
Commercial Purchase Process
1. Generate CSR (Certificate Signing Request)
2. Submit to Certificate Authority
3. Complete validation (DV/OV/EV)
4. Download and install certificate
DNS Configuration (CAA Records)
Specify which CAs can issue certificates:
example.com. CAA 0 issue "letsencrypt.org"
example.com. CAA 0 issuewild "letsencrypt.org"
Certificate Components
| Component | Purpose |
|---|---|
| Public key | Encrypts data sent to server |
| Private key | Decrypts data (keep secret!) |
| Certificate chain | Links to trusted root CA |
| Validity period | Expiration date (typically 90 days - 1 year) |
Best Practices
1. Use TLS 1.2+: Disable older protocols
2. Automate renewal: Prevent expiration outages
3. Secure private key: Never share or expose
4. Use strong ciphers: Configure secure cipher suites
5. Implement HSTS: Force HTTPS connections
6. Monitor expiration: Set up alerts before expiry
Common Issues
- Certificate mismatch: Domain doesn't match certificate
- Expired certificate: Validity period exceeded
- Chain incomplete: Missing intermediate certificates
- Mixed content: HTTP resources on HTTPS page
SSL certificates are fundamental to web security, enabling encrypted communications that protect sensitive data during transmission.