SSL/TLS

Certificate validity periods are shrinking from 398 days to 90 days. Here's why shorter lifetimes reduce risk, what the CA/Browser Forum proposals mean for operations, and how to prepare.

A self-signed certificate is signed by its own private key instead of a trusted CA. Here's when they're legitimate, how to generate one, and why they're dangerous in production.

TLS 1.3 removed insecure algorithms, reduced handshake latency to 1-RTT, and encrypted more of the handshake. Here's what changed, what was removed, and what breaks during migration.

TLS termination is the point in your infrastructure where encrypted connections are decrypted. Here's why it matters for certificate management, where it typically happens, and the visibility gaps it creates.

A TLS certificate binds a public key to a domain identity, enabling encrypted HTTPS connections. Here's how it works, where it breaks, and what engineers need to know.

A TLS handshake is the negotiation process that establishes an encrypted connection between client and server. Here's how TLS 1.3 reduced it to one round trip, what happens at each step, and where it fails.

ACME (Automatic Certificate Management Environment) is the protocol that lets machines request, validate, and renew TLS certificates without human intervention. Here's how it works, what challenge types exist, and where automation fails.

Certificate pinning restricts which certificates a client accepts for a domain, defending against CA compromise. Here's how it works, why browsers deprecated it, and where it still makes sense.

HSTS tells browsers to always use HTTPS for a domain, eliminating HTTP-to-HTTPS redirect vulnerabilities. Here's how it works, how to configure it safely, and what happens when you get it wrong.

Mutual TLS (mTLS) requires both client and server to present certificates during the handshake, enabling cryptographic identity verification for service-to-service communication. Here's how it works, where it's deployed, and what breaks.