S
SSL Certificate Expiry

What Is an SSL Certificate?

What an SSL certificate is, how it works, why websites need one, the different types, and how SSL certificates secure the connection between browsers and servers.

An SSL certificate is a digital file that authenticates a website's identity and enables an encrypted connection between the website and its visitors. When a website has a valid SSL certificate, browsers show a padlock icon in the address bar and the URL begins with https:// instead of http://. Without an SSL certificate, the connection is unencrypted, and browsers warn visitors that the site is "Not secure."

The term "SSL certificate" is technically a misnomer. SSL (Secure Sockets Layer) is a deprecated protocol that has been replaced by TLS (Transport Layer Security). But the certificate itself is protocol-agnostic -- it works with both SSL and TLS -- and the name "SSL certificate" stuck because it was in use for decades before TLS replaced SSL. For the full history of this naming confusion, see SSL vs TLS.

What an SSL Certificate Does

An SSL certificate serves two purposes: authentication and encryption.

Authentication

An SSL certificate proves that the website you are visiting is actually operated by the organization that claims to own it. Without this proof, an attacker could create a fake version of your bank's website, and you would have no way to tell the difference.

The certificate contains the domain name (or names) it is issued for, the identity of the organization (for certain certificate types), and a digital signature from a trusted certificate authority (CA). Your browser checks this information before establishing a secure connection.

Encryption

Once the certificate has been verified, the browser and the server use it to establish an encrypted connection. All data transmitted between your browser and the server is encrypted so that anyone intercepting the traffic (on public Wi-Fi, at an ISP, or anywhere between you and the server) sees only unreadable ciphertext.

This protects sensitive information like passwords, credit card numbers, personal data, and any other information exchanged during the session.

How SSL Certificates Work

The process of establishing a secure connection involves several steps, collectively known as the TLS handshake.

The Simplified Process

  1. Browser requests a secure connection. When you navigate to https://example.com, your browser tells the server it wants to establish an encrypted connection.

  2. Server sends its certificate. The server responds with its SSL certificate, which contains the server's public key and identifying information.

  3. Browser verifies the certificate. The browser checks that:

    • The certificate is issued by a trusted certificate authority.
    • The certificate has not expired.
    • The certificate is issued for the domain being visited.
    • The certificate has not been revoked.

  4. Key exchange. The browser and server agree on a shared encryption key using the certificate's public key. This shared key (session key) is used for the actual data encryption.

  5. Encrypted communication begins. All subsequent data between the browser and server is encrypted with the session key.

This entire handshake takes milliseconds and happens invisibly every time you visit an HTTPS website.

The Certificate Chain

SSL certificates do not work alone. They are part of a chain of trust:

  • Root certificate: Issued by a root certificate authority and pre-installed in your browser or operating system. These are the trust anchors.
  • Intermediate certificate: Issued by the root CA to an intermediate CA. This is used to sign end-entity certificates.
  • End-entity certificate: Your website's SSL certificate, signed by the intermediate CA.

The browser verifies the chain by checking each link: your certificate is signed by the intermediate, the intermediate is signed by the root, and the root is in the browser's trust store. If any link is missing or invalid, the verification fails.

For a deep dive into the chain, see SSL Certificate Chain Explained.

What Information Is in an SSL Certificate

An SSL certificate contains:

  • Subject: The domain name (Common Name or CN) and optionally the organization name and location.
  • Issuer: The certificate authority that issued the certificate.
  • Validity period: The start date (Not Before) and expiration date (Not After).
  • Public key: The server's public key, used during the TLS handshake.
  • Signature: The CA's digital signature, proving the certificate is authentic.
  • Serial number: A unique identifier assigned by the CA.
  • Subject Alternative Names (SANs): Additional domain names the certificate covers (e.g., both example.com and www.example.com).
  • Key usage: What the certificate's key is allowed to do (digital signature, key encipherment, etc.).

You can view these details by clicking the padlock icon in your browser's address bar and viewing the certificate information.

Types of SSL Certificates

SSL certificates come in different types based on the level of validation and the number of domains they cover.

By Validation Level

Domain Validation (DV): The CA verifies only that the applicant controls the domain. No organization identity is checked. DV certificates are the quickest and cheapest to obtain. Let's Encrypt issues DV certificates for free.

Organization Validation (OV): The CA verifies the domain and the organization's identity (business name, address, etc.). OV certificates show the organization name in the certificate details but not in the browser address bar.

Extended Validation (EV): The CA performs the most thorough verification, including legal existence, operational status, and physical address. EV certificates once displayed a green address bar with the company name, but modern browsers have largely removed this visual distinction.

For most websites, a DV certificate provides sufficient security. The encryption is identical across all validation levels. The difference is in the identity verification process. For the complete comparison, see Types of SSL Certificates.

By Domain Coverage

Single-domain certificate: Covers one domain name (e.g., example.com). May also cover www.example.com as a SAN.

Wildcard certificate: Covers a domain and all its first-level subdomains (e.g., *.example.com covers www.example.com, blog.example.com, api.example.com). Does not cover the bare domain unless listed as a SAN. See Wildcard SSL Certificates.

Multi-domain (SAN) certificate: Covers multiple different domain names on a single certificate (e.g., example.com, example.org, anotherdomain.com). See SAN Certificates: Multi-Domain SSL Explained.

Why Every Website Needs an SSL Certificate

Browser Warnings

Since 2018, Chrome marks all HTTP websites as "Not secure" in the address bar. Firefox, Safari, and Edge display similar warnings. These warnings erode visitor trust and can drive users away.

SEO Rankings

Google confirmed in 2014 that HTTPS is a ranking signal. While it is a lightweight signal compared to content quality and backlinks, all else being equal, an HTTPS site has an advantage over an HTTP equivalent.

Data Protection

Any data submitted on an HTTP website (login forms, search queries, contact forms) is transmitted in plain text. Anyone monitoring the network can read it. SSL encryption protects this data in transit.

Regulatory Compliance

Regulations like GDPR, PCI DSS (required for processing credit cards), and HIPAA require encryption for data in transit. An SSL certificate is a fundamental compliance requirement.

Modern Web Features

Many modern browser APIs require HTTPS to function: Service Workers (needed for Progressive Web Apps), the Geolocation API, the Notifications API, HTTP/2 (which browsers only support over HTTPS), and the Clipboard API. Without HTTPS, your site cannot use these features.

HTTPS is the baseline, not the goal

An SSL certificate encrypts the connection and authenticates the server. It does not make a website safe in the broader sense. A phishing site can have a valid SSL certificate. HTTPS is a necessary foundation for web security, but it is not sufficient on its own.

Getting an SSL Certificate

Free Certificates

Let's Encrypt is a free, automated, open certificate authority that issues DV certificates. Most hosting providers integrate with Let's Encrypt for automatic certificate issuance and renewal. See Free SSL Certificates Guide.

Cloudflare provides free SSL certificates for websites using their CDN.

AWS Certificate Manager provides free certificates for use with AWS services (CloudFront, Elastic Load Balancing, API Gateway).

Paid Certificates

Paid certificates are available from commercial CAs like DigiCert, Sectigo, GlobalSign, and others. They range from a few dollars per year for basic DV certificates to hundreds of dollars for OV and EV certificates. The encryption is identical; you are paying for the validation process, warranty, and support.

For a comparison of providers, see SSL Certificate Providers Compared.

Installation

After obtaining a certificate, you install it on your web server. The process varies by server software (Apache, Nginx, IIS) and hosting provider. Many hosting providers handle installation automatically when using their integrated certificate services.

For the complete process, see How to Install SSL and How to Get an SSL Certificate.

Certificate Expiration

SSL certificates have a limited validity period. The current maximum is 397 days (approximately 13 months) for publicly trusted certificates. When a certificate expires, browsers display a warning page that prevents visitors from accessing the site without explicitly accepting the risk.

Certificate expiration is one of the most common causes of website outages. The fix is straightforward (renew the certificate), but the impact of an expired certificate is immediate and visible to every visitor.

For prevention strategies, see SSL Certificate Renewal Guide and What Happens When SSL Expires.

Checking Your SSL Certificate

You can check whether a website has a valid SSL certificate and view its details:

  • Browser: Click the padlock icon in the address bar.
  • Command line: openssl s_client -connect example.com:443
  • Online tools: Use an SSL checker to view certificate details and check for issues.

For detailed instructions, see How to Check SSL Certificate.

References

  1. RFC 8446, "The Transport Layer Security (TLS) Protocol Version 1.3," August 2018. https://datatracker.ietf.org/doc/html/rfc8446
  2. CA/Browser Forum, "Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates," https://cabforum.org/baseline-requirements/
  3. Google Security Blog, "HTTPS as a ranking signal," August 2014. https://developers.google.com/search/blog/2014/08/https-as-ranking-signal
  4. Let's Encrypt, "How It Works," https://letsencrypt.org/how-it-works/

Never miss an SSL certificate expiry

Monitor your certificates across all your domains. Get alerts before they expire so you never have to deal with browser warnings or outages.

Try SSL Certificate Expiry

Related Articles