What Is an SSL Certificate? HTTPS Explained

When you visit a website and see a padlock icon in your browser's address bar, that padlock represents an SSL certificate — a small digital file that does two critical jobs: it proves the website is who it claims to be, and it enables encrypted communication so nobody can eavesdrop on your connection. Understanding SSL certificates is fundamental to understanding how the secure web works.

What Is an SSL Certificate?

An SSL certificate (more accurately called a TLS certificate, though the older term SSL persists) is a digital document issued by a trusted third party called a Certificate Authority (CA). The certificate is installed on a web server and presented to browsers whenever a visitor connects over HTTPS.

The certificate serves as a cryptographic proof of identity. It binds a public key to a domain name and, depending on the type of certificate, to an organisation's legal identity as well. Browsers use the certificate to verify they are talking to the legitimate server for a domain — not an impostor — before establishing an encrypted channel.

SSL vs. TLSSSL (Secure Sockets Layer) is the predecessor to TLS (Transport Layer Security). All SSL versions and TLS 1.0/1.1 are now deprecated due to security vulnerabilities. Modern connections use TLS 1.2 or TLS 1.3. Despite this, the term "SSL certificate" remains in widespread use for historical reasons.

What Does an SSL Certificate Prove?

An SSL certificate simultaneously proves two things:

Identity — the certificate confirms that the domain name in the address bar corresponds to the server you are connected to, and that a trusted CA has verified this.
Encryption capability — the certificate contains a public key that your browser uses to establish an encrypted session, ensuring that data exchanged between you and the server cannot be read or tampered with in transit.

Without a valid certificate, a browser will display a warning — "Your connection is not private" — because it cannot confirm you are talking to who you think you are.

Key Fields Inside an SSL Certificate

An SSL certificate is structured data conforming to the X.509 standard. The most important fields are:

Subject / Common Name (CN) — the domain name the certificate is issued for (e.g. example.com).
Subject Alternative Names (SAN) — additional domain names covered by the certificate.
Issuer — the Certificate Authority that issued and signed the certificate.
Validity period — the Not Before and Not After dates defining when the certificate is valid.
Public key — the cryptographic key browsers use to initiate encryption.
Signature algorithm — the algorithm used by the CA to sign the certificate (e.g. SHA-256 with RSA).
Serial number — a unique identifier assigned by the CA.
Key usage / Extended key usage — defines what the certificate can be used for (e.g. TLS server authentication).

bash

# Inspect certificate fields using OpenSSL
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null   | openssl x509 -noout -text

# Shorter: view just the subject, issuer, and dates
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null   | openssl x509 -noout -subject -issuer -dates

What Is a Certificate Authority (CA)?

A Certificate Authority is an organisation that issues SSL certificates after verifying the identity of the applicant. CAs are trusted by operating systems and browsers, which ship with a pre-installed list of trusted root certificates. When a CA signs a certificate, the browser can verify that signature using the CA's public root key — establishing the chain of trust.

Well-known public CAs include DigiCert, Sectigo, GlobalSign, and Let's Encrypt. Let's Encrypt is a non-profit CA that issues free Domain Validation certificates automatically, and it now issues the majority of TLS certificates on the internet.

Self-Signed CertificatesA self-signed certificate is signed by its own creator rather than a trusted CA. Browsers do not trust self-signed certificates and will show a security warning to visitors. They are appropriate only for internal development environments and should never be used for public-facing websites.

Types of SSL Certificates by Validation Level

CAs offer certificates at three levels of identity verification:

Domain Validation (DV)

DV certificates are the most common. The CA only verifies that the applicant controls the domain — typically by placing a DNS record or a file on the web server. No information about the organisation is checked. DV certificates are issued in minutes and are free from Let's Encrypt. They provide the same level of encryption as higher-tier certificates but offer no identity assurance beyond domain ownership.

Organisation Validation (OV)

OV certificates require the CA to verify the organisation's legal existence, name, and physical address in addition to domain control. The organisation details appear in the certificate's Subject field. OV certificates are appropriate for businesses that want to give visitors additional assurance about who operates the site.

Extended Validation (EV)

EV certificates require the most rigorous identity verification, including legal, operational, and physical checks. Historically, browsers displayed the organisation's name in a green address bar for EV certificates, though most modern browsers have removed this visual distinction. EV certificates remain relevant for high-value targets such as banking and e-commerce sites where phishing risk is elevated.

Type	Validation Level	Issuance Time	Cost	Best For
DV	Domain control only	Minutes	Free – low	Blogs, personal sites, APIs
OV	Organisation verified	1–3 days	Medium	Business websites
EV	Extended legal checks	3–7 days	High	Banks, e-commerce, finance

Wildcard and Multi-Domain (SAN) Certificates

Beyond validation levels, certificates differ in how many domains they cover:

Single-domain certificate — covers exactly one domain (e.g. example.com). A separate entry for www.example.com would be needed unless it is included as a SAN.
Wildcard certificate — covers a domain and all of its direct subdomains using the * wildcard (e.g. *.example.com covers www.example.com, mail.example.com, app.example.com, but not sub.app.example.com).
Multi-domain / SAN certificate — covers multiple distinct domain names listed in the Subject Alternative Names extension. One certificate can cover example.com, example.net, and shop.example.co.uk simultaneously.

bash

# Check which domains a certificate covers (SAN list)
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null   | openssl x509 -noout -ext subjectAltName

# Example output:
# X509v3 Subject Alternative Name:
#     DNS:example.com, DNS:www.example.com, DNS:api.example.com

Why Browsers Show the Padlock

The padlock icon indicates that three conditions are met: the site has a valid SSL certificate issued by a trusted CA, the certificate covers the domain in the address bar, and the certificate has not expired or been revoked. When any of these conditions fail, the browser replaces the padlock with a warning indicator and may block the connection entirely.

You can use the ShowDNS SSL Checker to instantly verify the certificate on any domain — checking its validity, expiry date, chain completeness, and the domains it covers.

Monitor Certificate ExpirySSL certificates expire. Let's Encrypt certificates are valid for 90 days; commercially purchased certificates are typically valid for one year. An expired certificate causes the same browser error as having no certificate. Set up monitoring or use automatic renewal (certbot renew) to avoid unexpected downtime.

Frequently Asked Questions

Is SSL the same as HTTPS?

They are closely related but not identical. HTTPS (Hypertext Transfer Protocol Secure) is the protocol used for encrypted web communication. SSL/TLS is the underlying encryption protocol that HTTPS relies on. An SSL certificate is the credential that enables HTTPS — without a certificate installed on the server, HTTPS cannot function.

Do I need an SSL certificate for every subdomain?

You need a certificate that covers every domain and subdomain you serve over HTTPS. A wildcard certificate (*.example.com) covers all direct subdomains in one certificate. Alternatively, a SAN certificate can list specific subdomains. If you only have one certificate for example.com and try to serve app.example.com over HTTPS, browsers will show a name mismatch error.

How long is an SSL certificate valid?

As of 2020, the maximum validity period for publicly trusted SSL certificates is 398 days (approximately 13 months). Let's Encrypt issues certificates valid for 90 days and encourages automated renewal every 60 days. The industry trend is toward shorter validity periods to improve security.

What happens when an SSL certificate expires?

When a certificate expires, browsers immediately display a "Your connection is not private" error and block access to the site for most users. The site appears broken even though the server itself is running normally. This is why automated renewal and expiry monitoring are essential.

Can I get a free SSL certificate?

Yes. Let's Encrypt provides free, automated Domain Validation certificates trusted by all major browsers and operating systems. Certbot is the official client for obtaining and renewing Let's Encrypt certificates. Many hosting providers also include free SSL through their control panels.