Short answer. Russian SSL certificates are issued by a national certificate authority (CA) for cases where international certificates are unavailable or unsuitable. The key practical nuance is client-side trust: these certificates are not in the default trust stores of international browsers and require installing a root certificate. So it is critical to verify the trust chain and validity exactly as the end user sees them.
Why Russian SSL certificates appeared
The Russian CA issues TLS certificates for websites when international authorities are unavailable for various reasons. Technically these are ordinary X.509 certificates, but the trust chain leads to a Russian root certificate rather than to globally recognized roots.
A certificate is "valid" only relative to the trusted-root store on the user's device. If the root is missing, the browser shows a warning even when the certificate is technically correct.
How they differ from international certificates
- Root of trust: a Russian root certificate vs globally recognized CAs;
- Browser support: international roots are preinstalled almost everywhere; the Russian root must be installed manually or comes built into specific browsers;
- Audience: for Russian users with the root installed it works transparently; foreign users may need to trust the root;
- Technology: X.509 format, chain and validity checks are the same as for any TLS certificate.
| Parameter | Russian CA | International CA |
|---|---|---|
| Root of trust | national root | globally recognized |
| Preinstalled in browsers | not everywhere, needs install | yes, universally |
| Format | X.509 | X.509 |
| Validity check | standard | standard |
| Best for | audience with the root installed | universal audience |
How to verify the trust chain
The main job is to confirm the chain is assembled correctly and validity is fine. On enterno.io the SSL checker does this: it shows validity, chain, protocol and cipher. Manually you can inspect it like this:
# certificate validity dates
echo | openssl s_client -servername example.ru -connect example.ru:443 2>/dev/null \
| openssl x509 -noout -dates
# print chain and issuer
echo | openssl s_client -servername example.ru -connect example.ru:443 -showcerts 2>/dev/null \
| grep -E "subject=|issuer="The issuer= line shows which CA issued the certificate — that tells you whether the root is Russian or international.
Validity and expiry monitoring
An expired certificate breaks the secure connection regardless of which CA issued it. enterno.io tracks validity and warns:
- 14 days ahead — warning;
- 3 days ahead — critical.
Set up an SSL monitor on the monitors page — the system checks validity on a schedule and sends a Telegram alert in advance.
Most "sudden" SSL incidents are simply a missed renewal. A 14-day alert turns an emergency into a planned task.
What to watch when deploying
- Check whether your target audience sees the certificate as trusted (is the root in their browsers).
- Make sure the server serves the full chain (including intermediates).
- Compare reachability and certificate validity from Russia and abroad.
- Enable expiry monitoring so you do not miss the renewal.
FAQ
Will international browsers trust a Russian certificate?
Not by default: you need the Russian root installed or a browser with the built-in root. Without it a warning appears, even though the certificate may be technically valid.
What technically differs in a Russian certificate?
The format is the same (X.509). The difference is the root of the trust chain — it leads to the national CA, not a global CA.
How do I check who issued a certificate?
Look at the issuer field via openssl or in enterno.io's SSL checker.
When does enterno.io warn about expiry?
14 days ahead (warning) and 3 days ahead (critical) before the certificate expires.
Check your certificate and its chain now: run an SSL check on enterno.io and enable expiry monitoring with Telegram alerts. Related: monitoring and 152-FZ, DNS checker.