SSL Certificates: Everything You Need to Know

SSL/TLS certificates are the foundation of encrypted communication on the internet. They authenticate server identity and establish an encrypted channel between client and server, protecting data in transit from interception and tampering. Whether you are securing a marketing website, an email server, or an API endpoint, understanding certificate types, installation, and maintenance is essential.

How SSL/TLS Works

When a browser connects to an HTTPS-enabled server, a TLS handshake occurs:

1. The client sends a ClientHello message specifying supported cipher suites and TLS versions.
2. The server responds with its certificate and selected cipher suite.
3. The client verifies the certificate against its trust store, checking the issuer, expiration, domain name, and revocation status.
4. Both parties derive session keys and begin encrypted communication.

The current standard is TLS 1.3 (RFC 8446), which simplified the handshake to a single round trip and removed support for legacy cipher suites with known vulnerabilities.

Certificate Types: DV, OV, and EV

Certificates differ in the level of identity validation performed by the Certificate Authority (CA) before issuance.

Domain Validation (DV)

DV certificates verify only that the applicant controls the domain. Validation typically involves placing a DNS TXT record, serving a specific file over HTTP, or responding to an email sent to an address in the domain's WHOIS record. Issuance is automated and takes seconds to minutes.

DV certificates are appropriate for blogs, small business websites, and internal services. They provide the same level of encryption as higher-tier certificates -- the difference is purely in identity assurance. For a deeper dive into DV specifically, see our guide on domain validation.

Organization Validation (OV)

OV certificates require the CA to verify that the requesting organization legally exists and controls the domain. This involves checking business registration documents and sometimes a phone verification step. Issuance takes one to three business days.

Extended Validation (EV)

EV certificates involve the most rigorous vetting process, including legal identity verification, operational existence checks, and confirmation of the applicant's authority to request the certificate. Browsers previously displayed a green address bar for EV certificates, but most modern browsers have removed this visual distinction, diminishing the practical benefit of EV for many use cases.

Let's Encrypt and Free Certificates

Let's Encrypt, operated by the Internet Security Research Group (ISRG), issues free DV certificates using the ACME protocol (RFC 8555). It has fundamentally changed the certificate landscape by removing cost as a barrier to HTTPS adoption.

Key characteristics:

• 90-day validity period. Shorter than traditional certificates, which encourages automation.
• Automated issuance and renewal. The certbot client and alternatives like acme.sh handle the entire lifecycle.
• Rate limits. 50 certificates per registered domain per week, with higher limits available for large deployments.
• Wildcard support. Available via DNS-01 challenge validation.

Certificate Chain and Trust

A certificate chain (or chain of trust) links your server's certificate to a trusted root CA through one or more intermediate certificates:

Root CA (in browser trust store)
  -> Intermediate CA
    -> Your server certificate

Your server must present the full chain (server certificate + intermediates) during the TLS handshake. Omitting intermediates is one of the most common SSL configuration errors, resulting in trust failures on some clients while appearing to work on others.

You can verify your domain's DNS configuration and certificate chain using our DNS Lookup tool.

Installation

The installation process varies by web server:

Nginx:

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

Apache:

SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem

For both servers, ensure you reference fullchain.pem (which includes intermediates) rather than cert.pem (which contains only the leaf certificate).

Auto-Renewal

Let's Encrypt certificates must be renewed before their 90-day expiration. Certbot installs a systemd timer or cron job by default:

# Check renewal status
sudo certbot renew --dry-run

# Force renewal
sudo certbot renew --force-renewal

For production systems, monitor certificate expiration dates programmatically. A certificate that silently expires will cause immediate service disruption for all HTTPS traffic.

Common SSL Errors and Fixes

Error	Cause	Fix
NET::ERR_CERT_AUTHORITY_INVALID	Missing intermediate certificate	Serve the full chain
NET::ERR_CERT_DATE_INVALID	Certificate expired	Renew immediately
NET::ERR_CERT_COMMON_NAME_INVALID	Domain mismatch	Reissue for the correct domain or add SANs
SSL_ERROR_HANDSHAKE_FAILURE_ALERT	Protocol/cipher mismatch	Update TLS configuration to support TLS 1.2+
Mixed content warnings	HTTP resources on HTTPS page	Update all resource URLs to HTTPS

HTTPS Migration Checklist

Migrating an existing site from HTTP to HTTPS requires more than installing a certificate:

1. Obtain and install the certificate for all domains and subdomains your site uses.
2. Update internal links to use HTTPS or protocol-relative URLs.
3. Set up 301 redirects from HTTP to HTTPS for all URLs.
4. Update canonical tags to reference HTTPS URLs.
5. Update your sitemap and resubmit to search engines.
6. Check third-party resources (scripts, images, fonts) for HTTPS availability.
7. Enable HSTS (HTTP Strict Transport Security) once you have confirmed everything works. Start with a short max-age and increase it gradually.
8. Test thoroughly. Use an SSL checker to verify the certificate is served correctly with the full chain and proper configuration.

SSL and Email Infrastructure

SSL/TLS is equally critical for email. SMTP servers use STARTTLS to upgrade plaintext connections to encrypted ones, and modern email providers like Gmail, Outlook, and Yahoo require valid certificates on sending mail servers. An expired or misconfigured certificate on your mail server can cause delivery failures or trigger security warnings for recipients.

Verify your domain's DNS and mail server configuration using our DNS Lookup tool to ensure your MX records point to servers with valid, properly chained certificates.

FAQ

What is the difference between SSL and TLS?

SSL (Secure Sockets Layer) is the original encryption protocol for securing internet connections, but it has been deprecated due to known security vulnerabilities. TLS (Transport Layer Security) is its successor and is what all modern HTTPS connections actually use — typically TLS 1.2 or TLS 1.3. The term "SSL" persists in common usage, but when someone refers to an "SSL certificate" today, it is technically a TLS certificate. You can check your server's protocol support with the SSL Checker tool.

Are free SSL certificates as secure as paid ones?

Yes. Free certificates from Let's Encrypt provide the same level of encryption as paid certificates — the cryptographic protection is identical. The difference is in validation level and extras: paid certificates offer Organization Validation (OV) or Extended Validation (EV), which verify the legal identity of the certificate holder, and often include warranties and customer support. For most websites, a free Domain Validation (DV) certificate provides all the security needed.

How long do SSL certificates last?

SSL/TLS certificates currently have a maximum validity period of 398 days (approximately 13 months), though the industry is moving toward even shorter lifespans. Let's Encrypt certificates are valid for 90 days and are designed to be renewed automatically. Shorter validity periods reduce the window of exposure if a private key is compromised. Always monitor expiration dates and set up automated renewal to avoid unexpected outages.

Does SSL affect SEO and search rankings?

Yes. Google has used HTTPS as a ranking signal since 2014, and sites without HTTPS are flagged as "Not Secure" in Chrome and other browsers. While HTTPS alone will not dramatically boost rankings, it is a baseline requirement — sites without it face ranking penalties and reduced user trust. Beyond SEO, HTTPS is required for modern browser features like service workers, geolocation, and HTTP/2, making it essential for both security and functionality.

How do I check if my SSL certificate is configured correctly?

Use the SSL Checker tool to verify that your certificate is valid, not expired, and served with the complete certificate chain including intermediate certificates. The tool also checks your server's supported TLS protocol versions and identifies common misconfigurations like missing chain certificates or hostname mismatches. Run this check after any certificate installation or renewal to confirm everything is working correctly.

---

Stay on top of your email infrastructure. Sign up for the InboxTooling newsletter for deliverability tips, tool updates, and best practices.