SSL/TLS Certificates: What They Are and Why Your Site Needs One

An SSL (Secure Sockets Layer) / TLS (Transport Layer Security) certificate is a digital certificate that authenticates a website's identity and enables an encrypted connection between a web server and a browser. When a site has a valid SSL certificate, its URL starts with "https://" and browsers show a padlock icon.

TLS is actually the modern, more secure successor to SSL. The term "SSL" is still widely used, but virtually all modern "SSL certificates" actually use TLS. When people say "SSL," they almost always mean TLS.

SSL certificates serve two purposes: encryption (protecting data in transit from eavesdropping) and authentication (proving the website is who it claims to be).

When your browser connects to an HTTPS website, the following happens (called the TLS handshake):

1. Client Hello: Your browser connects to the server and sends a list of supported encryption methods.
2. Server Hello: The server responds with its SSL certificate and chosen encryption method.
3. Certificate Verification: Your browser verifies the certificate is valid, not expired, issued by a trusted Certificate Authority, and matches the domain.
4. Key Exchange: The browser and server securely exchange encryption keys.
5. Encrypted Session: All subsequent data is encrypted using the agreed-upon keys.

This entire handshake happens in milliseconds — you won't notice any delay. Once established, all data between your browser and the server is encrypted, protecting it from interception.

Domain Validation (DV): The most basic type. The CA only verifies that you control the domain. Issued within minutes. Free options available through Let's Encrypt. Suitable for blogs, personal sites, and small businesses.

Organization Validation (OV): The CA verifies the organization behind the domain. Takes a few days to issue. Shows the organization name in the certificate details. Better for businesses that want to display verified identity.

Extended Validation (EV): The most rigorous validation. The CA thoroughly vets the organization's legal existence, physical address, and authorization. Historically showed the company name in the browser's address bar (this has been removed by most browsers). Primarily used by financial institutions and large enterprises.

Wildcard certificates: Cover a domain and all its subdomains (e.g., *.example.com). Useful when you have many subdomains.

Multi-domain (SAN) certificates: Cover multiple different domain names with a single certificate.

Use LookMyIP's free SSL Certificate Checker at lookmyip.com/ssl. Enter any domain to instantly see the certificate issuer, validity period, expiry date, certificate chain, supported protocols, and any issues.

In your browser: Click the padlock icon in the address bar and select "Certificate" or "Connection is secure" to view certificate details.

Command line: Use OpenSSL to inspect a certificate: echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -text -noout

Key things to check:

• Is the certificate expired or about to expire?
• Does the certificate match the domain name?
• Is the certificate chain complete?
• Is it issued by a trusted Certificate Authority?

Expired certificate: The most common issue. Set up automatic renewal (Let's Encrypt certificates auto-renew with certbot) or set calendar reminders for manually managed certificates.

Certificate name mismatch: The certificate was issued for a different domain. Ensure the certificate covers all domains and subdomains your site uses (including www and non-www versions).

Incomplete certificate chain: The server isn't sending intermediate certificates. Configure your server to include the full certificate chain.

Mixed content warnings: Your HTTPS page loads some resources (images, scripts, stylesheets) over HTTP. Update all resource URLs to use HTTPS or protocol-relative URLs.

TLS version too old: Some servers still support deprecated TLS versions (TLS 1.0, 1.1). Disable these and support only TLS 1.2 and 1.3.

Self-signed certificate: The certificate wasn't issued by a trusted CA. This is fine for development but unacceptable for production — use a proper CA like Let's Encrypt (free) or a commercial provider.