An SSL certificate (more accurately called a TLS certificate, since SSL is an older protocol that has been replaced by TLS) is a digital document that authenticates the identity of a website and enables encrypted communication between the browser and the server. The padlock icon in the browser's address bar indicates a valid certificate is present.
What an SSL Certificate Contains
The certificate's Common Name (CN) or Subject Alternative Names (SANs) list the domain names the certificate is valid for. A certificate for example.com covers only that domain. A wildcard certificate for *.example.com covers all subdomains.
The issuer is the Certificate Authority (CA) that signed the certificate. Well-known CAs include Let's Encrypt (free), DigiCert, Sectigo, and GlobalSign. Browsers have a built-in list of trusted CAs. A certificate signed by an untrusted CA produces a browser warning.
The validity period specifies the start date and expiration date. Most modern certificates are valid for 90 days (Let's Encrypt) or 1 year (commercial CAs). A certificate that has expired causes a browser security warning that blocks users.
The public key is the cryptographic key that the server uses during the TLS handshake to prove it controls the corresponding private key.
What Happens During a TLS Handshake
When your browser connects to an HTTPS site, the server presents its certificate. The browser verifies that the certificate was signed by a trusted CA, that the domain matches the certificate, and that the certificate has not expired or been revoked. If all checks pass, the browser and server negotiate encryption parameters and establish an encrypted channel.
The encryption protects the data in transit from eavesdropping and tampering. This is why HTTPS is required for any page that transmits credentials, payment information, or personal data.
Certificate Expiry
A certificate that expires without renewal causes the site to show a security warning to all visitors. Certificate expiry is one of the most preventable sources of site outages. Set up automated renewal (Let's Encrypt with Certbot automates 90-day renewals) and monitoring alerts for certificates expiring within 30 days.
Using the DevHexLab SSL Checker
Open the tool at /tools/network/ssl-checker. Enter a domain name. The tool retrieves the certificate and displays the issuer, validity dates, the domain names covered, and whether the chain is complete and trusted.
Frequently Asked Questions
What is the certificate chain?
Certificates are issued by a hierarchy: root CA certificates sign intermediate CA certificates, which sign end-entity certificates (the ones installed on web servers). The certificate chain must be complete for browsers to validate it. A missing intermediate certificate causes validation errors in some browsers.
How do I get an SSL certificate?
Let's Encrypt provides free certificates that renew automatically every 90 days. Most hosting providers include SSL certificate provisioning through Let's Encrypt automatically. For extended validation (EV) certificates that show the organization name in the address bar, use a commercial CA.
Check your certificate expiry regularly and automate renewal.