Glossary · 3 min read

What Is an SSL Certificate?

Learn how SSL/TLS certificates encrypt internet traffic, how the chain of trust works, the difference between DV, OV, and EV certificates, and why TLS replaced SSL.

What Is an SSL Certificate?

An SSL certificate is a digital certificate that authenticates a server's identity and enables encrypted communication between clients and servers using the TLS (Transport Layer Security) protocol. Although the industry moved from SSL to TLS over two decades ago, the term "SSL certificate" persists in common usage.

TLS vs. SSL

SSL (Secure Sockets Layer) was the original encryption protocol for the web, developed by Netscape in the 1990s. It was replaced by TLS, which is more secure and actively maintained:

  • SSL 2.0 and 3.0 are deprecated and considered insecure (RFC 6176, RFC 7568).
  • TLS 1.0 and 1.1 are deprecated as of RFC 8996.
  • TLS 1.2 remains widely used and considered secure.
  • TLS 1.3 (RFC 8446) is the current standard, offering improved performance and security.

When you see "SSL certificate," it almost always means a certificate used with TLS.

How Certificates Enable Encryption

When a client (browser, mail client, API consumer) connects to a server over HTTPS or STARTTLS:

  1. TLS handshake begins. The client sends a ClientHello message specifying supported TLS versions and cipher suites.
  2. Server presents certificate. The server responds with its certificate, which contains the server's public key, the domain name(s) it covers, the issuing certificate authority (CA), and a validity period.
  3. Client validates certificate. The client checks that the certificate is signed by a trusted CA, is not expired, and matches the requested domain.
  4. Key exchange. The client and server negotiate a symmetric session key using the certificate's public key (or an ephemeral key exchange like ECDHE).
  5. Encrypted communication. All subsequent data is encrypted with the session key.

Certificate Authorities and Chain of Trust

Certificates are issued by Certificate Authorities (CAs), organizations trusted by browsers and operating systems. The trust model is hierarchical:

  • Root CAs have self-signed certificates embedded in browser and OS trust stores.
  • Intermediate CAs are signed by root CAs and issue end-entity (server) certificates.
  • The chain of trust runs from your server's certificate, through the intermediate CA, up to the root CA.

Major CAs include Let's Encrypt (free, automated), DigiCert, Sectigo, and GlobalSign.

Certificate Types

Type Validation Use Case
DV (Domain Validation) Proves you control the domain (via DNS or HTTP challenge). Issued in minutes. Blogs, personal sites, APIs, most web applications.
OV (Organization Validation) Verifies the organization's legal existence. Takes days. Business websites where organizational identity matters.
EV (Extended Validation) Rigorous vetting of the organization. Takes weeks. Financial institutions, e-commerce (though browsers no longer display the green bar).

For most use cases, DV certificates (especially from Let's Encrypt) provide the same encryption strength as OV and EV at zero cost.

Certificates and Email

TLS certificates secure email in two contexts: encrypting SMTP connections between mail servers (STARTTLS on port 25, implicit TLS on port 465) and encrypting IMAP/POP3 connections between mail clients and servers. A missing or expired certificate on your mail server can cause delivery failures when sending servers enforce TLS. Check your domain's DNS and mail configuration with our DNS lookup tool.

Stay on top of your email infrastructure. Sign up for the InboxTooling newsletter for deliverability tips, tool updates, and best practices.

More glossary terms

DNS Ports Explained

Understand which network ports DNS uses, including port 53 for standard queries, port 443 for DNS over HTTPS, and port 853 for DNS over TLS.

DNS Record Types: A Complete Reference Guide

A technical reference for all major DNS record types including A, AAAA, MX, CNAME, TXT, NS, SOA, PTR, SRV, and CAA. Includes example values and use cases.

How Do IP Addresses Work?

Understand how IP addresses work, including IPv4 vs IPv6 formats, public vs private addresses, static vs dynamic assignment, NAT, and CIDR notation.

SMTP Ports Explained: 25, 465, 587, and 2525

Understand the four SMTP ports, when to use each one, the difference between STARTTLS and implicit TLS, and why ISPs block port 25.

What Is DKIM (DomainKeys Identified Mail)?

Learn how DKIM uses cryptographic signatures to authenticate email, including selector records, public/private key pairs, and the verification process per RFC 6376.

What Is DMARC?

Understand DMARC, how it builds on SPF and DKIM with alignment checks, policy options (none, quarantine, reject), and aggregate vs forensic reporting per RFC 7489.

What Is DNS (Domain Name System)?

Learn how the Domain Name System works, including recursive and iterative queries, root servers, caching, and TTL values. A technical overview referencing RFC 1035.

What Is Secure DNS (DoH and DoT)?

Learn about secure DNS protocols including DNS over HTTPS, DNS over TLS, and DNSSEC. Understand why standard DNS is insecure and how to protect your queries.

What Is a Domain Name?

Learn what a domain name is, how domains map to IP addresses via DNS, the difference between TLD types, and how subdomains, URLs, and hostnames relate.

What Is a Gateway IP Address?

Learn what a gateway IP address is, how default gateways route traffic between networks, and how to find your gateway address on any operating system.

What Is a Reverse Lookup?

Understand reverse lookups including reverse DNS (PTR records), reverse IP lookups, and reverse email lookups. Learn how each works, common use cases, and limitations.

What Is a Reverse Proxy?

Learn how reverse proxies work, the difference between forward and reverse proxies, and common use cases including load balancing, SSL termination, and caching.

What Is an Email Bounce?

Understand email bounces, the difference between hard and soft bounces, common SMTP error codes, and how bounces affect sender reputation.

What Is an Email Domain Name?

Learn what an email domain is, how the @domain.com part of email addresses works with MX records to route messages, and the difference between free and custom email domains.

What Is an SMTP Server?

Learn how SMTP servers work, the difference between MTA, MSA, and MDA, and how email is delivered hop by hop using the SMTP protocol defined in RFC 5321.

What Is an SPF Record?

Understand SPF records, how they authorize email senders, the TXT record format, and how receivers evaluate SPF results including pass, fail, and softfail.