The Complete Guide to SSL Certificates

The padlock in your browser's address bar — that's SSL at work. Almost every website uses it now, it's required for e-commerce and anything handling user data, and it affects SEO. But what actually is an SSL certificate, how does it work, what kinds are there, and what happens when it goes wrong?

This guide covers everything from fundamentals to common errors to monitoring expiry so you're never caught out.

What SSL Actually Is

SSL stands for Secure Sockets Layer. It's technically been superseded by TLS (Transport Layer Security), but the term SSL stuck and is used interchangeably in practice. When people say SSL, they almost always mean TLS.

SSL/TLS is a cryptographic protocol that provides two things:

1. Encryption — Data transmitted between the browser and server is encrypted. Anyone intercepting the traffic sees meaningless ciphertext, not readable content.

2. Authentication — The server proves it's who it claims to be. When you connect to yourbank.com, SSL ensures you're actually talking to yourbank.com and not an impersonator.

An SSL certificate is the document that enables this. It's issued by a Certificate Authority (CA), contains the domain name it's valid for and the server's public key, and is signed by the CA to prove it's legitimate.

How HTTPS Works (The Short Version)

When your browser connects to an HTTPS site, a TLS handshake happens before any data is exchanged:

1. Browser says hello — "I want to connect securely, and I support these encryption methods"
2. Server presents its certificate — "Here's my certificate, signed by a trusted CA"
3. Browser verifies the certificate — Checks the certificate is valid, not expired, covers the right domain, and was issued by a trusted CA
4. Keys are exchanged — Browser and server negotiate a shared encryption key
5. Encrypted connection established — All subsequent communication is encrypted

The whole process takes milliseconds. From that point on, every byte sent between browser and server is encrypted.

Types of SSL Certificates

By Validation Level

Domain Validation (DV) — The CA verifies you control the domain (via DNS or file-based challenge). Issued quickly, often free. Shows the padlock but no company information. Suitable for blogs, personal sites, and most web applications.

Organisation Validation (OV) — The CA verifies both domain ownership and that the organisation is real. Takes days. Shows company name in certificate details. Suitable for businesses wanting to display their identity.

Extended Validation (EV) — Most thorough vetting: identity, legal existence, physical address. Historically showed a green address bar with the company name. Modern browsers have de-emphasised this display. High cost, high scrutiny — typically used by banks and financial institutions.

For most websites and applications, DV certificates are entirely appropriate. The encryption is identical across all three types.

By Coverage

Single domain — Covers one domain (e.g. example.com). Does not cover www.example.com unless explicitly included.

Wildcard — Covers a domain and all its one-level subdomains. *.example.com covers www.example.com, app.example.com, api.example.com, etc. Does not cover sub.app.example.com.

Multi-domain (SAN/UCC) — Covers multiple specific domains listed in the certificate. One certificate can cover example.com, example.org, and subdomain.example.net.

How to Get an SSL Certificate

Free: Let's Encrypt

Let's Encrypt issues free DV certificates with 90-day validity. It's backed by major tech companies and trusted by all major browsers.

Certbot is the standard tool for obtaining and renewing Let's Encrypt certificates:

# Install Certbot
sudo apt install certbot python3-certbot-nginx

# Obtain and install certificate for Nginx
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

# Test auto-renewal
sudo certbot renew --dry-run

Certbot configures automatic renewal via a cron job or systemd timer. With Let's Encrypt, manual renewal should rarely be needed.

Caddy takes this further — it provisions and renews Let's Encrypt certificates automatically with zero configuration. Point a domain at a Caddy server, configure your Caddyfile, and HTTPS is handled:

yourdomain.com {
    reverse_proxy localhost:3000
}

Caddy obtains, installs, and renews the certificate entirely automatically.

Managed Platforms

If you deploy to Vercel, Netlify, Railway, Heroku, or similar managed platforms, SSL is handled for you. Your domain is automatically provisioned with a certificate. No configuration needed.

Similarly, Cloudflare provides SSL for any domain on their network, including a free Universal SSL certificate that covers your domain and www.

Paid Certificates

Paid certificates from providers like DigiCert, Sectigo, or Comodo are used when you need OV or EV validation, a wildcard certificate for a large subdomain structure, or compliance requirements specifying a particular CA.

For most use cases, Let's Encrypt is the right choice.

Common SSL Errors and How to Fix Them

ERR_SSL_PROTOCOL_ERROR

A fundamental failure to establish the SSL/TLS connection.

Causes:

• Server configured for older TLS versions that the browser no longer supports (TLS 1.0/1.1)
• HTTPS not actually configured on the server
• Firewall blocking port 443

Fix: Ensure your server supports TLS 1.2 at minimum, TLS 1.3 preferred. Verify port 443 is open. See ERR SSL protocol error fix.

SSL_ERROR_HANDSHAKE_FAILURE

The client and server couldn't agree on a cipher suite or protocol version during the handshake.

Fix: Update server SSL configuration to support current cipher suites. Remove deprecated ciphers and protocols.

NET::ERR_CERT_INVALID / ERR_CERT_AUTHORITY_INVALID

The certificate isn't trusted by the browser — either the certificate is self-signed, the CA chain is incomplete, or the certificate was issued by an untrusted CA.

Common cause: Missing intermediate certificates. Browsers trust root CAs. Your certificate is issued by an intermediate CA that chains to a root CA. If the intermediate certificate isn't served, browsers can't build the trust chain.

Fix: Configure your web server to serve the full certificate chain, including intermediate certificates. Let's Encrypt provides a fullchain.pem file that includes all necessary certificates.

NET::ERR_CERT_DATE_INVALID

The certificate has expired (or its start date is in the future — often a system clock issue).

Fix: Renew the certificate. If using Let's Encrypt, check that the auto-renewal process is working. If it's a paid certificate, obtain a new one. See net err cert invalid fix.

SSL Handshake Failed

A generic handshake failure. Could be a protocol mismatch, cipher suite incompatibility, or certificate problem.

Fix: Check server SSL configuration. Use SSL Labs SSL Test to analyse your configuration and identify specific issues. See SSL handshake failed fix.

Mixed Content Warning

Your HTTPS page is loading some resources over HTTP. Browsers block active mixed content (scripts, iframes) and warn on passive mixed content (images).

Fix: Update all resource URLs to use HTTPS. Set a Content-Security-Policy header to enforce HTTPS. See mixed content error fix.

SSL Certificate Expiry: The Preventable Disaster

Certificate expiry is one of the most common causes of preventable downtime. When a certificate expires, browsers show a security warning and block access. Users see something like "Your connection is not private" and most of them leave.

Why expiry happens despite auto-renewal:

• The auto-renewal cron job failed silently
• DNS validation failed (domain not pointing correctly)
• Server had a firewall change that blocked Let's Encrypt's HTTP challenge
• A new server was set up and certificates were never configured

90-day certificates are more vulnerable — Let's Encrypt certificates expire after 90 days, which means the renewal process runs frequently, and failures surface sooner than annual certificates (which can fail silently for months before the problem is noticed).

SSL Monitoring

The solution is dedicated SSL certificate monitoring — a service that checks your certificate's expiry date and alerts you weeks before it expires, giving you time to renew without user impact.

Domain Monitor monitors SSL certificate expiry alongside uptime monitoring. Create a free account and add SSL monitoring for your domains. You'll receive alerts before your certificate expires, not after.

For domains with certificates expiring soon, you also get alerts when a certificate is renewed — useful for confirming that auto-renewal is working correctly.

SSL Best Practices

Use TLS 1.2 and TLS 1.3 only — Disable TLS 1.0 and 1.1. These older protocols have known vulnerabilities and are no longer accepted by major browsers.

Use strong cipher suites — Prefer ECDHE for key exchange and AES-GCM for encryption. Remove weak or deprecated ciphers.

Enable HSTS — HTTP Strict Transport Security tells browsers to always use HTTPS for your domain, preventing downgrade attacks:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Serve the full certificate chain — Include intermediate certificates in your server configuration to prevent trust chain failures.

Test your configuration — Use SSL Labs SSL Test to get a grade on your SSL configuration. Aim for A or A+.

Monitor expiry — Certificate expiry monitoring is non-optional for production applications. The cost of an expired certificate in user trust and revenue far exceeds the cost of monitoring.

Automate renewal — Use Let's Encrypt with Certbot or Caddy for automatic renewal. Manual renewal will eventually be forgotten.

Checking Your Certificate

To inspect a certificate from the command line:

# Check certificate expiry and details
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -dates -subject -issuer

# Check days until expiry
echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -enddate

To check from a browser: click the padlock → Certificate → check the validity period.

For automated, ongoing monitoring, Domain Monitor tracks expiry dates for all your domains and sends alerts before certificates expire. See the ultimate guide to website uptime monitoring for how SSL monitoring fits into a broader monitoring strategy.

Related Articles

• The Complete Guide to Web Application Performance
• "Monitoring WooCommerce Stores: Uptime, SSL and Checkout Health"
• 5 Steps To Prepare Your E-Commerce Website For Black Friday