QCecuring - Enterprise Security Solutions
by Ayush kumar rai

SSL/TLS Certificates: Everything You Need to Know

Pki 28 Aug, 2025 · 03 Mins read

TLS certificates enable HTTPS, prove server identity, and encrypt data in transit. Here's how they work, the types available, how to get one, and how to manage them at enterprise scale.

A TLS certificate (commonly called an “SSL certificate”) is a digital document that binds a domain name to a cryptographic public key, signed by a trusted Certificate Authority. When a browser connects to your server over HTTPS, the server presents this certificate. The browser verifies the signature chain, confirms the domain matches, checks it’s not expired — and only then establishes the encrypted connection.

No valid certificate = no HTTPS = no trust. Browsers show “Not Secure” warnings, search engines penalize rankings, and users leave.

How TLS Certificates Work

1. Browser connects to https://example.com
2. Server presents its TLS certificate
3. Browser checks:
   ├── Is the certificate expired? (notBefore/notAfter)
   ├── Does the domain match? (SAN extension)
   ├── Is the chain valid? (signature → intermediate → root in trust store)
   ├── Is it revoked? (OCSP/CRL check)
   └── All pass? → Encrypted connection established
4. ECDHE key exchange → symmetric session keys derived
5. All data encrypted with AES-256-GCM

Types of TLS Certificates

By Validation Level

TypeWhat’s VerifiedIssuance TimeCostUse Case
DV (Domain Validated)Domain ownership onlySeconds (ACME)Free-$50/yrMost websites, APIs
OV (Organization Validated)Domain + organization identity1-3 days$50-200/yrBusiness websites
EV (Extended Validation)Domain + org + legal verification3-7 days$200-1000/yrFinancial services (diminishing value)

Practical advice: Use DV for everything unless compliance specifically requires OV/EV. The encryption strength is identical across all three — the difference is only what identity information appears in the certificate details.

By Scope

TypeCoversExampleBest For
Single-domainOne exact FQDNwww.example.comSimple sites
WildcardAll single-level subdomains*.example.comMulti-subdomain sites
Multi-domain (SAN)Multiple specific domainsexample.com + example.org + api.example.comMultiple properties

How to Get a TLS Certificate

Free (Let’s Encrypt via ACME)

# Certbot — most common ACME client
certbot certonly --nginx -d example.com -d www.example.com
# Certificate issued in ~10 seconds
# Auto-renews every 60 days via systemd timer
# Valid for 90 days

Free (Cloudflare / Cloud Provider)

# Cloudflare: automatic certificate for any domain using their DNS/CDN
# AWS ACM: free certificates for use with ALB/CloudFront
# GCP: managed certificates for Cloud Load Balancing
# No manual management — provider handles everything
# For OV/EV certificates or specific compliance requirements
# Submit CSR → CA verifies organization → certificate issued (1-7 days)
# Valid for up to 398 days (CA/Browser Forum maximum)

Certificate Anatomy (X.509)

# View certificate details
openssl x509 -in cert.pem -noout -text

# Key fields:
Subject: CN=api.example.com                    # Who this cert identifies
Issuer: CN=R3, O=Let's Encrypt                 # Who signed it
Validity:
  Not Before: Mar 1 00:00:00 2026 GMT          # Start of validity
  Not After:  May 30 23:59:59 2026 GMT         # Expiry date
Public Key Algorithm: id-ecPublicKey (P-256)   # Key type
X509v3 Subject Alternative Name:               # All covered domains
  DNS:api.example.com, DNS:www.example.com
X509v3 Key Usage: Digital Signature            # What the key can do
X509v3 Extended Key Usage: TLS Web Server Auth # Purpose

Certificate Management at Scale

The Problem

A mid-size enterprise has 3,000-10,000 certificates:

  • Different CAs (Let’s Encrypt, DigiCert, internal CA)
  • Different validity periods (90 days to 1 year)
  • Different deployment targets (Nginx, K8s, ALB, F5, IIS)
  • Different teams managing them (nobody has the full picture)

The Solution

ScaleApproach
1-10 certsCertbot + calendar reminders
10-100 certscert-manager + Prometheus monitoring
100-1000 certsCLM platform (centralized discovery + automation)
1000+ certsEnterprise CLM with multi-CA, multi-target, policy enforcement

Common Certificate Problems

Expired Certificate

Symptom: NET::ERR_CERT_DATE_INVALID in browser Cause: Nobody renewed it before notAfter date Fix: Renew immediately. Then: set up automated renewal + monitoring.

Incomplete Chain

Symptom: Works in Chrome, fails in curl/Java/mobile Cause: Server sends leaf cert but not intermediate Fix: Configure full chain: cat server.crt intermediate.crt > fullchain.pem

Hostname Mismatch

Symptom: NET::ERR_CERT_COMMON_NAME_INVALID Cause: Certificate SANs don’t include the domain being accessed Fix: Request new certificate with correct SANs

Mixed Content

Symptom: Padlock disappears, “mixed content” console warnings Cause: HTTPS page loads resources over HTTP Fix: Change all resource URLs to HTTPS (or use protocol-relative //)

The 47-Day Future

The CA/Browser Forum voted to reduce maximum certificate validity to 47 days by 2029. This means:

  • Every certificate needs renewal every 6 weeks
  • Manual management becomes impossible
  • Automation (ACME, cert-manager, CLM platforms) becomes mandatory

Read our complete guide on preparing for 47-day certificates →

FAQ

Q: Is “SSL certificate” the same as “TLS certificate”? A: Yes — same thing. “SSL” is the old name that stuck. The actual protocol is TLS (SSL has been dead since 2015). Read more about SSL vs TLS →

Q: Do I need a certificate for internal services? A: Yes — if they handle sensitive data or you’re implementing zero trust. Use a private CA (Vault, cert-manager self-signed issuer) for internal services. They don’t need to be publicly trusted.

Q: How much does a TLS certificate cost? A: DV certificates: free (Let’s Encrypt). OV: $50-200/year. EV: $200-1000/year. For most use cases, free DV certificates from Let’s Encrypt are sufficient.

Q: What key type should I use? A: ECDSA P-256 for new certificates (smaller, faster than RSA). RSA-2048 only for legacy compatibility. Read RSA vs ECC comparison →

Q: How do I monitor certificate expiry? A: Prometheus + blackbox_exporter (free, probes actual endpoints). Or a CLM platform for enterprise-scale monitoring with ownership mapping and escalation.

Managing hundreds of certificates across multiple environments? QCecuring Certificate Lifecycle Management provides centralized discovery, automated renewal, and compliance reporting for your entire certificate estate. Request a demo →

Pki Ssl tls

PKI Maturity Assessment

Evaluate your PKI infrastructure in 5 minutes and get a tailored improvement plan.

Take Assessment

Related Insights

SSL/TLS

Fix 'The Certificate Chain Could Not Be Built to a Trusted Root Authority'

Fix the Windows certificate chain trust error. Covers missing root CA, intermediate certificate gaps, AIA/CDP issues, GPO trust distribution, and manual import — with certutil verification commands.

By Shivam sharma

15 May, 2026 · 06 Mins read

SSL/TLSTroubleshootingPKI

PKI

Fix 'The Certificate Template Is Not Available' in AD CS

Fix the AD CS error where certificate templates aren't available for enrollment. Covers template publishing, permissions, version compatibility, and CA type issues with certutil commands.

By Sneha gupta

15 May, 2026 · 06 Mins read

PKITroubleshootingWindows Server

PKI

Fix 'The Revocation Function Was Unable to Check Revocation' Error

Fix the Windows revocation check error that blocks certificate validation, smart card logon, code signing, and HTTPS. Covers CRL distribution point issues, OCSP failures, and certutil diagnostics.

By Shivam sharma

15 May, 2026 · 06 Mins read

PKITroubleshootingWindows Server

Ready to Secure Your Enterprise?

Experience how our cryptographic solutions simplify, centralize, and automate identity management for your entire organization.

Request a Demo Talk to Sales

Stay ahead on cryptography & PKI

Get monthly insights on certificate management, post-quantum readiness, and enterprise security. No spam.

We respect your privacy. Unsubscribe anytime.