SSL/TLS

SSL/TLS Certificates: How HTTPS Works

Published: 10.03.2025 · 4 min read · 13 views

SSL/TLS is an encryption protocol that protects data in transit between the browser and the server. SSL/TLS проверку (HTTP over TLS) is now the standard for all websites: browsers mark HTTP sites as insecure, and search engines factor HTTPS into their ranking algorithms.

SSL vs TLS — What's the Difference

SSL (Secure Sockets Layer) is the original protocol created by Netscape in the 1990s. TLS (Transport Layer Security) is its modern successor. SSL 2.0 and 3.0 have long been deprecated and are vulnerable. The current status:

Protocol	Year	Status
SSL 2.0	1995	Prohibited (vulnerable)
SSL 3.0	1996	Prohibited (POODLE)
TLS 1.0	1999	Deprecated (disabled in browsers since 2020)
TLS 1.1	2006	Deprecated (disabled in browsers since 2020)
TLS 1.2	2008	Supported (minimum recommended)
TLS 1.3	2018	Recommended (faster, more secure)

The term "SSL certificate" persists out of habit, although technically "TLS certificate" is more accurate.

How the TLS Handshake Works

When establishing an HTTPS connection, the client and server perform a TLS handshake:

Client Hello — the client sends its supported TLS versions, cipher suites, and a random number
Server Hello — the server selects a TLS version and cipher suite, and sends its certificate
Certificate Verification — the client verifies the chain of trust, expiration date, and domain match
Key Exchange — both parties negotiate a session key (typically via ECDHE)
Encrypted Connection — all subsequent data exchange is encrypted with the session key

TLS 1.3 simplifies this process to a single round trip (1-RTT), and on reconnection it can establish a connection in 0-RTT.

Certificate Types

By Validation Level

Type	Validation	Intended For
DV (Domain Validation)	Domain ownership only	Blogs, small sites, startups
OV (Organization Validation)	Domain + organization verification	Business websites, corporate portals
EV (Extended Validation)	Full organization verification	Banks, financial services, large enterprises

By Domain Count

Single-domain — for one domain (example.com)
Wildcard — for a domain and all its subdomains (*.example.com)
Multi-Domain (SAN) — for multiple different domains in a single certificate

Let's Encrypt

A free certificate authority that issues DV certificates. Supported by all browsers. Certificates are valid for 90 days and are automatically renewed via certbot:

# Install certbot
apt install certbot python3-certbot-nginx

# Obtain a certificate
certbot --nginx -d example.com -d www.example.com

# Test automatic renewal
certbot renew --dry-run

Certbot will automatically configure nginx for HTTPS and add a cron job for renewal.

Chain of Trust

Your site's certificate is signed by an intermediate certificate, which is signed by a root certificate. The browser trusts root CAs from its built-in store:

Root CA (in the browser's trust store)
  └── Intermediate CA (R3)
        └── Your certificate (example.com)

Important: the server must send the full chain (certificate + intermediate). If the intermediate is missing, some clients will be unable to verify the certificate.

Common Errors

ERR_CERT_DATE_INVALID

The certificate has expired or is not yet valid. Solution: renew the certificate, verify the auto-renewal configuration, and ensure the server clock is correct.

ERR_CERT_COMMON_NAME_INVALID

The domain in the address bar does not match the certificate's CN or SAN. A typical case: a certificate for example.com does not cover www.example.com.

ERR_CERT_AUTHORITY_INVALID

The chain of trust cannot be verified. Causes: self-signed certificate, missing intermediate certificate, or the CA is not in the browser's trust store.

NET_ERR_CERT_REVOKED

The certificate has been revoked by the certificate authority. A new certificate must be obtained.

Mixed Content

The page is loaded over HTTPS but contains resources loaded over HTTP. The browser may block such resources. Solution: all URLs should use HTTPS or protocol-relative paths (//).

Optimal nginx Configuration

server {
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # Protocols
    ssl_protocols TLSv1.2 TLSv1.3;

    # Ciphers
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;

    # HSTS
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
}

Checking an SSL Certificate

To check a certificate from the command line:

# Certificate information
openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates -subject -issuer

# Chain verification
openssl s_client -connect example.com:443 -servername example.com -showcerts

Check your website right now

Check now →