Skip to content
SSL/TLS Certificates Explained: Types, Validation & How to Check

SSL/TLS Certificates Explained: Types, Validation & How to Check

4 min read

What Are SSL/TLS Certificates?

An SSL/TLS certificate is a digital file that authenticates a website’s identity and enables encrypted connections. When you see the padlock icon in your browser’s address bar, it means the site has a valid certificate and your connection is encrypted.

SSL (Secure Sockets Layer) was the original protocol, but it has been replaced by TLS (Transport Layer Security). The industry still commonly uses “SSL certificate” even though TLS is the actual protocol in use. For clarity, we will use “TLS” when referring to the protocol and “SSL/TLS certificate” when referring to the certificate itself.

How TLS Works

When you visit an HTTPS website, a TLS handshake happens in milliseconds before any data is exchanged:

Step 1: Client Hello

Your browser contacts the server and says “I want to connect securely” along with the TLS versions and cipher suites it supports.

Step 2: Server Hello

The server responds with its SSL/TLS certificate, which contains the server’s public key and identity information.

Step 3: Certificate Verification

Your browser checks:

  • Is the certificate issued by a trusted Certificate Authority (CA)?
  • Is the certificate not expired?
  • Does the domain on the certificate match the website you are visiting?
  • Has the certificate been revoked?

If any check fails, the browser shows a security warning.

Step 4: Key Exchange

The browser and server use the certificate’s public key to establish a shared encryption key through an asymmetric key exchange (usually ECDHE). This shared key will encrypt all subsequent communication.

Step 5: Encrypted Communication

All data between your browser and the server is now encrypted with the shared key. No one intercepting the traffic can read it.

Types of SSL/TLS Certificates

By Scope

Single Domain

Covers one specific domain (e.g., example.com). Does not cover subdomains like www.example.com or blog.example.com unless specified.

Best for: Simple websites with one domain.

Wildcard

Covers a domain and all its subdomains at one level (e.g., *.example.com covers www.example.com, blog.example.com, api.example.com).

Best for: Websites with multiple subdomains.

Multi-Domain (SAN)

Covers multiple different domains (e.g., example.com, example.org, myapp.io) on a single certificate using Subject Alternative Names.

Best for: Organizations with multiple brands or domains.

By Validation Level

Domain Validation (DV)

The CA verifies only that you control the domain. Verification is automated (usually via DNS record or email) and takes minutes. The certificate shows the padlock but no organization name.

Cost: Free (Let’s Encrypt) to ~$50/year Best for: Personal sites, blogs, small projects

Organization Validation (OV)

The CA verifies domain ownership plus the organization’s legal existence. This involves checking business registration documents. Takes 1-3 days.

Cost: $50-$200/year Best for: Business websites, customer-facing applications

Extended Validation (EV)

The most rigorous verification. The CA verifies domain ownership, organization identity, legal status, physical address, and operational existence. Takes 1-2 weeks.

Cost: $100-$500/year Best for: Banks, financial institutions, e-commerce sites handling sensitive data

Note: Browsers no longer display the green bar with the company name for EV certificates (this was removed in 2019). EV certificates still provide the highest validation level, but the visual distinction in the browser is gone.

Free vs Paid Certificates

Let’s Encrypt (Free)

Let’s Encrypt is a nonprofit Certificate Authority that provides free DV certificates. It is used by the majority of HTTPS websites.

Pros:

  • Completely free
  • Automated issuance and renewal (via Certbot or similar tools)
  • Widely trusted by all browsers
  • 90-day certificates that auto-renew (short lifetime limits exposure if compromised)

Cons:

  • DV only (no OV or EV)
  • No warranty
  • No customer support
  • Some corporate environments require OV/EV

When to pay:

  • You need OV or EV validation
  • You want a warranty (CAs offer financial guarantees against mis-issuance)
  • Your organization’s compliance requirements mandate a commercial CA
  • You need customer support for certificate issues

For most websites, Let’s Encrypt is sufficient. The encryption is identical regardless of whether the certificate is free or costs $500.

How to Check a Website’s Certificate

Browser Method

  1. Click the padlock icon in the address bar
  2. Click “Connection is secure” or “Certificate”
  3. View the certificate details: issuer, expiration date, domain coverage, and validation level

Command Line

# Check a certificate's details
openssl s_client -connect example.com:443 -servername example.com < /dev/null 2>/dev/null | openssl x509 -noout -text

# Check expiration date specifically
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates

What to Check

  • Expiration date: Certificates expire. An expired certificate triggers browser warnings and breaks user trust.
  • Domain match: The certificate should cover the exact domain you are visiting.
  • Issuer: Should be a recognized CA (Let’s Encrypt, DigiCert, Sectigo, etc.).
  • Protocol version: TLS 1.2 or 1.3. Anything older (TLS 1.0, 1.1, SSL 3.0) is deprecated and insecure.

Common Certificate Errors

ERR_CERT_DATE_INVALID

The certificate has expired or is not yet valid. Fix: renew the certificate. Set up auto-renewal to prevent this.

ERR_CERT_COMMON_NAME_INVALID

The domain in the certificate does not match the URL. This happens when you visit www.example.com but the certificate only covers example.com, or vice versa.

ERR_CERT_AUTHORITY_INVALID

The certificate was issued by a CA that your browser does not trust. This often happens with self-signed certificates used in development environments.

NET_ERR_CERT_REVOKED

The CA has revoked the certificate, usually because it was compromised or mis-issued.

Mixed Content Warnings

Your page loads over HTTPS but includes resources (images, scripts, stylesheets) over HTTP. Fix: update all resource URLs to HTTPS.

TLS Best Practices

Use TLS 1.3

TLS 1.3 is faster (fewer round trips in the handshake) and more secure (removed outdated cipher suites) than TLS 1.2. Configure your server to prefer TLS 1.3 and support TLS 1.2 as a fallback.

Enable HSTS

HTTP Strict Transport Security (HSTS) tells browsers to always use HTTPS for your domain:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

This prevents downgrade attacks where an attacker intercepts the initial HTTP request before it redirects to HTTPS.

Automate Renewal

Certificate expiration is the most common TLS failure. Use Certbot or your hosting provider’s auto-renewal to avoid this entirely.

Use Strong Cipher Suites

Disable weak ciphers (RC4, DES, 3DES) and prefer AEAD ciphers (AES-GCM, ChaCha20-Poly1305). Most modern server software defaults to strong ciphers, but verify your configuration.

Implement Certificate Transparency

Certificate Transparency (CT) logs publicly record all issued certificates. This lets you detect unauthorized certificates issued for your domain. Most CAs submit to CT logs automatically.

SSL/TLS and Your Other Security Layers

SSL/TLS certificates are one layer of a comprehensive security strategy:

  • Strong passwords: Generate them with the Password Generator
  • Two-factor authentication: Protect accounts even if passwords are compromised
  • Content Security Policy: Prevent XSS attacks even over encrypted connections
  • EXIF data removal: Strip metadata from images before uploading with the EXIF Remover

Each layer protects against different threats. TLS protects data in transit; the other layers protect data at rest and application integrity.

Conclusion

SSL/TLS certificates are non-negotiable for any website in 2026. Let’s Encrypt makes it free and automated for most use cases. Choose the validation level that matches your needs (DV for most sites, OV/EV for businesses handling sensitive data), keep your certificates renewed, and use TLS 1.3 with strong cipher suites.

Check whether your own online accounts are properly secured. Start with the Password Generator for strong credentials and the Breach Checker to verify none of your accounts have been compromised.