SSL Certificate Glossary

SSL and TLS come with a lot of jargon. Three-letter acronyms, overlapping terminology, and concepts that sound similar but mean very different things. This glossary covers every term you'll encounter when working with SSL certificates, explained in plain English.

Bookmark this page. You'll be back.

A

ACME (Automatic Certificate Management Environment)

A protocol for automating certificate issuance and renewal. ACME is the protocol that Let's Encrypt uses. When Certbot requests a certificate, it's speaking ACME to Let's Encrypt's servers. Other CAs are starting to support ACME too.

AIA (Authority Information Access)

A certificate extension that tells clients where to find the issuing CA's certificate and where to check revocation status (via OCSP). When your browser needs to build a certificate chain, it uses AIA to find missing intermediate certificates.

C

CA (Certificate Authority)

An organization trusted to issue SSL/TLS certificates. CAs verify that the certificate requester controls the domain, then sign the certificate with their trusted key. Major CAs include Let's Encrypt, DigiCert, Sectigo, and Google Trust Services. Browsers and operating systems ship with a pre-installed list of trusted CAs.

Certificate Chain

The sequence of certificates from your server's certificate (leaf) up to a trusted root CA. A typical chain has three links: leaf certificate, intermediate certificate, and root certificate. If any link is missing or invalid, the browser rejects the connection. Also called the "chain of trust."

Certificate Pinning

A security technique where a client application hardcodes the expected certificate (or public key) for a specific server. If the server presents a different certificate, the connection is refused -- even if the new certificate is valid. Used to prevent man-in-the-middle attacks, but makes certificate rotation more complex.

Certificate Transparency (CT)

A public, append-only log of all issued SSL certificates. CAs are required to submit certificates to CT logs, and browsers can verify that a certificate appears in these logs. CT makes it possible to detect misissued or unauthorized certificates for your domain. You can search CT logs at crt.sh.

Cipher Suite

A set of cryptographic algorithms used during a TLS connection. A cipher suite specifies the key exchange algorithm, the encryption algorithm, and the message authentication algorithm. For example, TLS_AES_256_GCM_SHA384 uses AES-256 for encryption and SHA-384 for message authentication.

CN (Common Name)

A field in the certificate subject that historically specified the domain name the certificate was issued for. Modern certificates use the Subject Alternative Names (SANs) field instead, and browsers now require SANs. The CN field is still present but is being phased out as the primary domain identifier.

CRL (Certificate Revocation List)

A list published by a CA containing the serial numbers of certificates that have been revoked before their expiration date. Clients can download the CRL to check if a certificate has been revoked. Largely replaced by OCSP for real-time checking, but some systems still use CRLs.

CSR (Certificate Signing Request)

A file you generate and send to a CA when requesting a certificate. The CSR contains your public key, your domain name, and organization information. The CA uses this information to create your certificate. You keep the private key; it never leaves your server.

# Generate a CSR
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

D

DER (Distinguished Encoding Rules)

A binary format for encoding certificates. Unlike PEM (which is Base64-encoded text), DER files are raw binary. Common file extensions: .der, .cer. Windows systems often prefer DER format, while Linux/Unix systems typically use PEM.

DV (Domain Validation)

The simplest level of certificate validation. The CA only verifies that you control the domain (via DNS record, HTTP challenge, or email). No organization identity checks. DV certificates are the fastest to issue (often in minutes) and are what Let's Encrypt provides. Shown in browsers with a padlock but no organization name.

E

EV (Extended Validation)

The most thorough level of certificate validation. The CA verifies the legal existence, physical location, and operational status of the organization. EV certificates used to display a green address bar with the company name, but most browsers have removed this visual distinction. Still required by some industries and regulations.

H

HSTS (HTTP Strict Transport Security)

A security header that tells browsers to always use HTTPS for your domain. Once a browser sees the HSTS header, it will refuse to connect over HTTP for the specified duration. Prevents SSL stripping attacks. The Strict-Transport-Security header typically looks like: max-age=31536000; includeSubDomains.

I

Intermediate Certificate

A certificate issued by a root CA to an intermediate CA. Intermediate certificates sit between the root certificate and your leaf certificate in the chain of trust. They allow root CAs to keep their root keys offline and secure. Most certificate chain problems are caused by missing or incorrect intermediate certificates.

L

Leaf Certificate

The end-entity certificate -- the one issued for your specific domain. It's called a "leaf" because it's at the end of the certificate chain (like a leaf on a tree). This is the certificate your server presents to clients. Also called an end-entity certificate or server certificate.

O

OCSP (Online Certificate Status Protocol)

A protocol for checking whether a certificate has been revoked in real time. Instead of downloading a full CRL, the client asks the CA's OCSP responder about a specific certificate. Faster and more efficient than CRLs. OCSP stapling lets the server fetch the response and include it in the TLS handshake, improving performance.

OV (Organization Validation)

A mid-level validation where the CA verifies both domain control and the organization's legal existence. More thorough than DV but less than EV. The organization name appears in the certificate details but isn't prominently displayed in the browser. Common for businesses that want verified identity without the EV process.

P

PEM (Privacy Enhanced Mail)

The most common certificate format on Linux/Unix systems. PEM files are Base64-encoded and wrapped in -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- headers. Common file extensions: .pem, .crt, .cer, .key. Human-readable (sort of) -- you can open them in a text editor.

PKCS (Public-Key Cryptography Standards)

A family of standards for public-key cryptography. The most common in the SSL world are:

• PKCS#7 (.p7b): Certificate chain format, no private key
• PKCS#8: Private key format
• PKCS#12 (.p12, .pfx): Bundle format containing certificate, chain, and private key. Common on Windows/IIS systems

Private Key

The secret half of a key pair used in asymmetric encryption. Your private key stays on your server and is never shared. It's used to decrypt data encrypted with your public key and to create digital signatures. If your private key is compromised, your certificate must be revoked immediately.

Public Key

The shareable half of a key pair. Included in your certificate and sent to every client that connects. Used to encrypt data that only your private key can decrypt and to verify digital signatures created with your private key.

R

Root Certificate

A self-signed certificate at the top of the certificate chain. Root certificates are issued by root CAs and are pre-installed in browsers and operating systems as trust anchors. There are roughly 150 root certificates trusted by major browsers. Root CAs rarely sign end-entity certificates directly -- they sign intermediate certificates instead.

S

SAN (Subject Alternative Name)

A certificate extension that lists all the domain names and IP addresses a certificate is valid for. Modern certificates use SANs as the primary way to specify covered domains. A single certificate can cover multiple domains: example.com, www.example.com, api.example.com, and even unrelated domains like other-domain.com.

Self-Signed Certificate

A certificate signed by its own private key rather than by a CA. Self-signed certificates provide encryption but no third-party trust verification. Browsers display security warnings for self-signed certificates. Appropriate for local development and internal tools; inappropriate for public websites.

SNI (Server Name Indication)

A TLS extension that allows a client to specify which hostname it's connecting to during the TLS handshake. This lets a single server (IP address) host multiple HTTPS websites, each with its own certificate. Without SNI, you'd need a separate IP address for each HTTPS site. Supported by all modern browsers.

SSL (Secure Sockets Layer)

The original protocol for encrypted web connections, developed by Netscape in the 1990s. SSL 2.0 and 3.0 are now deprecated and considered insecure. SSL was replaced by TLS, but the term "SSL" is still widely used colloquially to refer to TLS certificates and encrypted connections.

T

TLS (Transport Layer Security)

The successor to SSL. TLS 1.0 was released in 1999, and the current version is TLS 1.3 (released 2018). TLS provides encryption, authentication, and integrity for internet communications. When people say "SSL certificate," they almost always mean a certificate used with TLS.

TLS Handshake

The process by which a client and server establish a TLS connection. During the handshake, they agree on a TLS version, choose a cipher suite, verify the server's certificate, and generate session keys. In TLS 1.2, this takes two round trips. TLS 1.3 reduced it to one round trip (and supports zero round trips for repeat connections).

W

Wildcard Certificate

A certificate that covers all single-level subdomains of a domain using an asterisk (*). A certificate for *.example.com is valid for www.example.com, api.example.com, and any other subdomain. Does not cover multi-level subdomains like a.b.example.com. Requires DNS-01 validation with Let's Encrypt.

X

X.509

The standard format for public-key certificates used in TLS/SSL. When people say "SSL certificate," they mean an X.509 certificate. The standard defines the fields and structure of the certificate, including subject, issuer, validity period, public key, and extensions. Defined by the ITU-T and used across the internet.

---

Now you speak SSL. Time to make sure your certificates are actually valid.