Back to Learn

What Is an SSL/TLS Certificate? | NOC.org

What Is an SSL/TLS Certificate?

An SSL/TLS certificate is a digital file installed on a web server that enables encrypted communication between the server and a client — typically a web browser. When a user visits a site over HTTPS, the certificate proves the server's identity and establishes an encrypted channel so that data exchanged between the browser and server cannot be intercepted or tampered with.

The term "SSL certificate" is still widely used, but modern implementations use TLS (Transport Layer Security), which replaced the older SSL protocol. SSL 2.0 and 3.0 are deprecated due to known vulnerabilities. When people refer to SSL certificates today, they almost always mean TLS certificates.

What Is Inside a Certificate?

An SSL/TLS certificate contains several pieces of information that browsers and clients use to validate the connection:

  • Domain name. The fully qualified domain name (or names) the certificate is valid for. A certificate issued for example.com will not be valid for other.com.
  • Public key. The server's public key, used during the TLS handshake to establish an encrypted session. The corresponding private key stays on the server and is never transmitted.
  • Issuer. The certificate authority (CA) that issued and signed the certificate. Browsers check the issuer against their built-in list of trusted CAs.
  • Validity period. The start and expiration dates. Certificates are typically valid for 90 days (Let's Encrypt) or up to one year (commercial CAs). Expired certificates trigger browser warnings.
  • Signature. The CA's digital signature, which proves the certificate has not been altered since it was issued.
  • Subject Alternative Names (SANs). A list of additional domain names covered by the certificate, allowing a single certificate to secure multiple domains or subdomains.

Certificate Types

Certificates are categorized by the level of validation and the scope of coverage:

Validation Levels

  • Domain Validated (DV). The CA verifies only domain ownership. DV certificates are issued quickly and are the most common type, especially for personal sites and small businesses.
  • Organization Validated (OV). The CA verifies domain ownership and the organization's legal identity. OV certificates include the organization name in the certificate details.
  • Extended Validation (EV). The CA performs thorough verification of the organization's identity, legal status, and physical address. EV certificates provide the highest level of assurance.

Coverage Scope

  • Single domain. Covers one specific domain, such as example.com.
  • Wildcard. Covers a domain and all its subdomains at one level, such as *.example.com. A wildcard certificate secures www.example.com, mail.example.com, and any other subdomain.
  • Multi-domain (SAN). Covers multiple distinct domain names in a single certificate using Subject Alternative Names. Useful for organizations that manage several domains.

How to Check a Certificate

You can inspect any site's certificate directly in your browser by clicking the padlock icon in the address bar and viewing the certificate details. From the command line, use OpenSSL:

openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -text

This shows the full certificate, including issuer, validity dates, SANs, and the signature algorithm. Regularly checking your own certificates helps catch expiration issues before they cause downtime.

Certificate Renewal and Automation

Expired certificates break HTTPS and display alarming browser warnings that drive users away. Manual renewal is error-prone, especially as certificate lifetimes have shortened. The ACME (Automatic Certificate Management Environment) protocol, developed alongside Let's Encrypt, enables fully automated certificate issuance, renewal, and installation.

Tools like Certbot and acme.sh use the ACME protocol to request certificates, prove domain control, and install renewed certificates — all without manual intervention. For sites behind a CDN, the CDN provider typically handles certificate provisioning and renewal at the edge, so the site owner does not need to manage certificates directly.

Combining automated certificate management with HSTS and strong security headers ensures that your site maintains encrypted, trusted connections at all times. Properly configured DNS records — including CAA records — add another layer of protection by limiting which CAs can issue certificates for your domain.

Improve Your Websites Speed and Security

14 days free trial. No credit card required.

Get Started