SSL Certificates: What They Are and How to Get One
An SSL certificate authenticates a website and enables encrypted HTTPS connections.
SSL Certificates
An SSL certificate is what turns your site's address bar from a plain HTTP connection into the padlock-secured HTTPS. It proves your site's identity to browsers and users, enables encrypted communication, and is a basic requirement for any website that handles user data, login credentials, or payment information.
What Is an SSL Certificate
An SSL certificate, more accurately called a TLS certificate, is a digital document issued by a trusted Certificate Authority (CA). It binds a public cryptographic key to an identity, whether that identity is a domain name, an organisation, or both. When a browser connects to your server over HTTPS, it requests this certificate, verifies its authenticity against its list of trusted CAs, and uses the public key it contains to initiate an encrypted session.
The certificate serves two distinct purposes simultaneously. First, it provides authentication: it proves to the browser that it is communicating with the genuine server for the domain in the address bar rather than an impostor. Second, it enables encryption: the public key in the certificate is used during the TLS handshake to establish a shared session key that encrypts all subsequent communication. Without a valid certificate, neither authentication nor encryption is possible over HTTPS.
The term SSL certificate is a legacy name that has persisted even though SSL itself was deprecated years ago. Every certificate used on the modern web is a TLS certificate operating under the TLS protocol. The two terms are used interchangeably throughout the industry, in hosting control panels, and in developer documentation, even though SSL has not been in use since TLS replaced it.
What Is Inside an SSL Certificate
A TLS certificate is structured according to the X.509 standard, which defines the fields it must contain and how they are encoded. Examining a certificate reveals all the information the browser uses to verify its validity and trustworthiness.
| Field | What It Contains | Example |
|---|---|---|
| Subject / Common Name | The primary domain name the certificate covers | example.com |
| Subject Alternative Names (SAN) | Additional domains or subdomains covered by the same certificate | www.example.com, blog.example.com |
| Issuer | The Certificate Authority that signed and vouches for this certificate | Let's Encrypt Authority X3, DigiCert Global CA |
| Valid From | The date and time from which the certificate is considered valid | 2024-01-15 00:00:00 UTC |
| Expires | The date and time after which the certificate is no longer valid and browsers will reject it | 2024-04-15 00:00:00 UTC |
| Public Key | The server's public cryptographic key used during the TLS handshake for key exchange | RSA 2048-bit or ECDSA P-256 key |
| Signature Algorithm | The algorithm the CA used to sign the certificate, which browsers use to verify the signature | SHA-256 with RSA, SHA-256 with ECDSA |
| Serial Number | A unique identifier assigned to this certificate by the issuing CA, used for revocation tracking | 03:af:29:b4:c7:... |
| Key Usage | The permitted uses for the certificate's public key, such as digital signature and key encipherment | Digital Signature, Key Encipherment |
| Certificate Fingerprint | A hash of the entire certificate used to uniquely identify it and verify it has not been tampered with | SHA-256: 2B:45:A7:... |
# View the full details of a server's certificate
openssl s_client -connect example.com:443 -showcerts 2>/dev/null | \
openssl x509 -text -noout
# Key fields in the output:
# Subject: CN=example.com
# Issuer: C=US, O=Let's Encrypt, CN=R3
# Validity:
# Not Before: Jan 15 00:00:00 2024 GMT
# Not After: Apr 15 00:00:00 2024 GMT
# Subject Alternative Names:
# DNS:example.com, DNS:www.example.com
# Public Key Algorithm: id-ecPublicKey (P-256)
# Check certificate expiry date only
echo | openssl s_client -connect example.com:443 2>/dev/null | \
openssl x509 -noout -datesTypes of SSL Certificates
Certificates differ in how much the CA verifies about the entity requesting them. Higher validation levels require more evidence and take longer to issue but provide stronger identity assurance to users. The encryption strength is identical across all types.
| Type | What It Validates | Issuance Time | Best For | Typical Cost |
|---|---|---|---|---|
| DV (Domain Validated) | Proves only that the requester controls the domain. No organisation identity is verified. | Minutes to hours (automated) | Personal sites, blogs, developer projects, most commercial websites | Free via Let's Encrypt |
| OV (Organisation Validated) | Domain ownership plus verification of the organisation's legal name, location, and operational status | Hours to a few days (manual vetting) | Business websites where displaying a verified organisation name builds user confidence | $50 to $200 per year |
| EV (Extended Validation) | Rigorous manual verification of the organisation including legal status, physical address, phone number, and operational existence | Several days to weeks | Banks, financial institutions, legal firms, and enterprises where maximum identity assurance is required | $200 to $1000 or more per year |
| Wildcard | Covers the root domain and all first-level subdomains such as *.example.com in a single certificate | Same as DV or OV depending on validation level | Sites with multiple subdomains such as api, blog, docs, mail, and staging that all require HTTPS | $80 to $300 per year |
| Multi-Domain (SAN) | Covers multiple entirely different domain names listed in the Subject Alternative Names field | Same as DV or OV depending on validation level | Agencies managing several client domains, organisations with multiple distinct domain names | $100 to $500 per year |
How to Get a Free SSL Certificate
Let's Encrypt has made free, automatically renewing domain-validated certificates available to any domain owner since 2015. It has become the most widely deployed CA on the internet. Most modern hosting platforms provision Let's Encrypt certificates automatically when you connect a custom domain, requiring no manual steps on your part.
If your host does not manage certificates automatically, you can install and configure one yourself using Certbot, the official Let's Encrypt client.
- Install Certbot on your server using your operating system's package manager. On Ubuntu:
sudo apt install certbot python3-certbot-nginx - Run the appropriate command for your web server. For Nginx:
sudo certbot --nginx -d example.com -d www.example.com. For Apache:sudo certbot --apache -d example.com - Certbot verifies your domain ownership by placing a temporary file at a known path that Let's Encrypt checks over HTTP
- On successful verification, Certbot downloads the certificate, installs it, and updates your server configuration automatically
- Certbot installs a cron job or systemd timer that attempts renewal every 12 hours and renews the certificate automatically when it is within 30 days of expiry
- Test the renewal process with
sudo certbot renew --dry-runto confirm automatic renewal is working before the certificate actually needs to be renewed
# Install certificate for Nginx (interactive)
sudo certbot --nginx -d example.com -d www.example.com
# Install certificate for Apache (interactive)
sudo certbot --apache -d example.com
# Obtain certificate only without modifying server config
sudo certbot certonly --webroot -w /var/www/html -d example.com
# List all certificates managed by Certbot on this server
sudo certbot certificates
# Test automatic renewal without actually renewing
sudo certbot renew --dry-run
# Force immediate renewal of all certificates
sudo certbot renew --force-renewal
# Revoke and delete a certificate
sudo certbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pemCertificate Validation: How Browsers Verify Certificates
When your browser connects to an HTTPS site, it performs several checks on the certificate before allowing the connection to proceed. Understanding these checks explains the specific error messages you see when something goes wrong.
- Chain of trust verification: The browser checks that the certificate was signed by a CA it trusts, either directly from a root CA or through an intermediate CA that chains back to a trusted root. If the chain is broken or missing, the browser shows an error about an untrusted certificate.
- Domain name matching: The browser checks that the domain in the certificate's Common Name or Subject Alternative Names matches the domain in the address bar. A certificate issued for example.com will not be accepted for api.example.com unless the SAN field includes api.example.com or a wildcard *.example.com.
- Expiry check: The browser checks that the current date falls within the certificate's validity period. An expired certificate produces the NET::ERR_CERT_DATE_INVALID error.
- Revocation check: The browser may check whether the CA has revoked the certificate before its expiry date, which happens when a private key is compromised. This is done through OCSP (Online Certificate Status Protocol) or by checking a Certificate Revocation List (CRL).
- Certificate Transparency: Modern browsers require that certificates be logged to public Certificate Transparency logs maintained by Google and others. This makes it impossible for a CA to issue a certificate secretly without it being publicly visible and auditable.
What Happens When a Certificate Expires
When a TLS certificate passes its expiry date, browsers immediately begin rejecting the connection and displaying a full-page security warning. The warning blocks users from reaching the site by default and requires them to manually click through a confirmation to proceed, which most users will not do. Common error messages include "Your connection is not private", "NET::ERR_CERT_DATE_INVALID", and "This site's security certificate has expired."
An expired certificate effectively takes a website offline from the perspective of ordinary users and causes immediate and serious damage to user trust. For business websites, e-commerce stores, and any site handling sensitive information, certificate expiry is a critical incident. The practical solution is to use automated renewal through Let's Encrypt and Certbot so the certificate is renewed automatically before it ever expires. Monitoring services that alert you when a certificate is approaching expiry provide an additional safety net.
| Browser Error | Cause | Fix |
|---|---|---|
| NET::ERR_CERT_DATE_INVALID | Certificate has expired or is not yet valid | Renew the certificate. Check server clock is correct. |
| NET::ERR_CERT_AUTHORITY_INVALID | Certificate is self-signed or issued by an untrusted CA | Replace with a certificate from a trusted CA such as Let's Encrypt. |
| NET::ERR_CERT_COMMON_NAME_INVALID | Certificate domain does not match the URL in the address bar | Obtain a certificate that includes the correct domain in its SAN fields. |
| NET::ERR_CERT_REVOKED | The CA has revoked this certificate before its expiry | Obtain a new certificate. Investigate why the original was revoked. |
| ERR_SSL_VERSION_OR_CIPHER_MISMATCH | Server and browser cannot agree on a supported TLS version or cipher suite | Update server TLS configuration to support TLS 1.2 and TLS 1.3. |
Frequently Asked Questions
- Does HTTPS improve SEO?
Yes. Google confirmed HTTPS as a ranking signal in 2014 and has continued to strengthen its preference for secure sites. Chrome and other browsers display a "Not Secure" warning for HTTP pages that contain input fields, which directly reduces user confidence and can increase bounce rates. Beyond the direct SEO signal, HTTPS prevents ISPs and network operators from injecting content into your pages or modifying your traffic, which protects both your users and the integrity of the page content search engines index. There is no reason for any public website to remain on HTTP in the current environment where free certificates are universally available. - Is a paid certificate more secure than a free one?
No. The encryption strength of a DV certificate from Let's Encrypt is identical to that of a paid EV certificate. Both use the same cryptographic algorithms and key sizes. The difference between certificate types is entirely in identity verification. A DV certificate proves only that the requester controls the domain. An OV or EV certificate additionally proves the legal identity of the organisation behind the domain. Paying more for a certificate does not give you stronger encryption. It gives you a higher level of identity verification that may be appropriate for regulated industries or high-trust contexts. - What is a self-signed certificate?
A self-signed certificate is one where the issuer and the subject are the same. Instead of being signed by a trusted Certificate Authority, it is signed by the private key of the server itself. Browsers do not trust self-signed certificates because they provide no independent identity verification. Anyone could generate a self-signed certificate claiming to be any domain. Browsers display a prominent security warning when they encounter one, and most users will refuse to proceed. Self-signed certificates are appropriate for local development environments, internal networks where all clients can be manually configured to trust the certificate, and automated testing environments. They must never be used on public-facing websites. - How does certificate pinning work?
Certificate pinning is a technique where an application is configured to only accept a specific certificate or public key for a specific domain, rather than trusting any certificate signed by any CA in the trust store. This prevents attacks where a rogue CA issues a fraudulent certificate for your domain. It was used primarily in mobile applications but has fallen out of favour because it creates serious operational complexity: if the pinned certificate needs to be rotated, every pinned client must be updated simultaneously or it will stop working. HTTP Public Key Pinning (HPKP) was a browser-based implementation that was deprecated in 2018 due to the operational risks of misconfiguration. - What is Certificate Transparency and why does it matter?
Certificate Transparency (CT) is a system that requires all publicly trusted CAs to log every certificate they issue to publicly auditable CT logs. This means you can search for every certificate ever issued for your domain, which lets you detect whether any CA has issued a certificate for your domain without your knowledge. Google Chrome requires CT compliance for all newly issued certificates and will reject certificates that are not logged. The CAA DNS record type complements CT by letting domain owners specify which CAs are permitted to issue certificates for their domain. Together these mechanisms make it significantly harder for attackers or rogue CAs to issue fraudulent certificates for domains they do not control.
Conclusion
An SSL certificate is a fundamental requirement for any modern website. It authenticates your server's identity to browsers, enables TLS encryption to protect data in transit, builds user trust through the padlock indicator, and contributes to search engine rankings. For the vast majority of websites, a free domain-validated certificate from Let's Encrypt, automatically managed through Certbot or your hosting platform, provides everything you need. Understanding what a certificate contains, how browsers verify it, and what the different certificate types validate gives you the knowledge to choose the right certificate for your context, configure it correctly, and respond quickly when something goes wrong. Continue with SSL and TLS explained, HTTP vs HTTPS, and symmetric vs asymmetric encryption to build a complete picture of how secure web communication works.