What Is an SSL/TLS Certificate and How Does It Work?
When you visit a website over HTTPS, your browser and the server agree on an encrypted connection before any data is exchanged. The piece that makes this possible is the SSL/TLS certificate. It tells your browser that the site is who it claims to be and provides the keys used to encrypt the traffic.
If you run a website, understanding certificates helps you choose the right one, read the details your browser shows, and debug connection problems. This guide explains what an SSL/TLS certificate is, how it works, what it contains, and the types you can choose from.
What Is an SSL/TLS Certificate?
A certificate is a small digital file issued to a website by a Certificate Authority (CA). It binds a domain name to a cryptographic key pair and carries the CA’s digital signature, which browsers use to confirm the certificate is genuine. Once a certificate is installed and the server is configured for it, the site is served over HTTPS instead of plain HTTP, and traffic between the visitor and the server is encrypted.
Encryption protects the data in transit from being read or tampered with, which defends against eavesdropping and man-in-the-middle attacks. It does not vouch for the honesty of the site owner; it confirms that you are talking to the server that controls the domain and that nobody can read the connection in between.
A note on terminology: the original protocol was Secure Sockets Layer (SSL), but every version of SSL is now deprecated and insecure. The protocol in use today is Transport Layer Security (TLS). The phrase “SSL certificate” stuck around for historical reasons, so “SSL”, “TLS”, and “SSL/TLS” certificate all refer to the same thing.
How SSL/TLS Certificates Work
When a certificate is installed, the server holds a key pair: a public key that is shared through the certificate, and a private key that never leaves the server. The certificate lets the browser authenticate the server. During the TLS handshake, the browser and server then negotiate shared session keys, which are used to encrypt the actual traffic.
The exchange happens during a process called the TLS handshake:
- A visitor opens your site, and the browser requests a secure connection.
- The server sends its certificate, which includes the public key and the CA’s signature.
- The browser checks the certificate: it verifies the CA signature against its list of trusted authorities, confirms the certificate matches the domain, and checks that it has not expired or been revoked.
- Once the browser trusts the certificate, both sides use it to negotiate a shared session key.
- From that point on, the browser and server exchange data encrypted with that session key.
If any check fails, for example the certificate is expired, self-signed, or issued for a different domain, the browser shows a warning such as “Your connection is not private” and blocks the page until the visitor chooses to continue.
What Information a Certificate Contains
You can view a certificate in your browser by clicking the icon to the left of the address bar and opening the connection or certificate details. A certificate typically includes:
- The domain name (Common Name) the certificate was issued for
- The Subject Alternative Names, which list the additional domains and subdomains it covers
- The organization, person, or device it was issued to
- The name of the issuing Certificate Authority
- The digital signature of the CA
- The dates the certificate becomes valid and expires
The browser uses this data to confirm the identity of the site and the validity of the certificate before it loads the page.
Inspecting a Certificate from the Command Line
On Linux you do not need a browser to read a certificate. The openssl
command can fetch and decode the certificate of any live site, which is useful for checking expiry dates or debugging a TLS problem.
To connect to a site and print its certificate chain, run:
openssl s_client -connect example.com:443 -servername example.comThis opens a live connection and prints the handshake and the certificates the server presents. Press Ctrl+C to close it. Replace example.com with the domain you want to inspect.
To decode the full certificate into readable text, pipe the connection into openssl x509:
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -textIf you only need the identity and validity window, ask for the subject, issuer, and dates:
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -subject -issuer -datessubject=CN=example.com
issuer=C=US, O=DigiCert Inc, CN=DigiCert Global G3 TLS ECC SHA384 2020 CA1
notBefore=Jan 15 00:00:00 2026 GMT
notAfter=Feb 15 23:59:59 2027 GMTThe notAfter line tells you when the certificate expires, which is the value to watch when a site suddenly starts showing warnings. To inspect a certificate file you already have on disk rather than a live host, point openssl x509 at the file:
openssl x509 -in certificate.crt -noout -textIf you want to generate a certificate for testing, see our guide on creating a self-signed SSL certificate .
Types of Certificates by Validation Level
Certificate Authorities issue certificates at different validation levels, which describe how much the CA checks before issuing. They all provide the same encryption; the difference is how thoroughly the owner is verified.
Domain Validation (DV)
A DV certificate is issued after a simple check that you control the domain, usually by responding to an email or adding a DNS or file record. It requires no paperwork and is issued quickly, often within minutes. DV certificates are common for blogs, personal sites, and any site that does not handle sensitive data. Free certificates from Let’s Encrypt are DV certificates.
Organization Validation (OV)
An OV certificate is issued after the CA verifies both domain control and the existence of the organization behind it. The organization details are stored in the certificate and can be seen in the Subject field, as shown below.
Because the CA verifies the company, OV certificates take longer to issue and cost more than DV certificates. They are common for business and corporate sites.
Extended Validation (EV)
An EV certificate involves the strictest checks, including the organization’s legal status, physical address, and operational status. It takes the longest to issue and is the most expensive. EV certificates were once shown with the company name in a green address bar, but browsers no longer display that indicator, so the practical difference for visitors is small. The verified organization details are still recorded in the certificate itself.
Types of Certificates by Coverage
Beyond the validation level, certificates also differ in how many domains and subdomains they secure.
Single-Domain
A single-domain certificate secures one domain or subdomain. It covers both the www and non-www versions of that name.
Wildcard
A wildcard certificate secures a domain and all of its subdomains one level below the root, using a name in the form *.example.com. A single wildcard certificate covers dev.example.com, mail.example.com, and any other direct subdomain.
Multi-Domain (SAN)
A multi-domain certificate, also called a Subject Alternative Name (SAN) certificate, secures several different domains and subdomains with one certificate. You list each name in the Subject Alternative Name field, so a single certificate can cover unrelated domains such as example.com and example.org.
Unified Communications Certificate (UCC)
A UCC is a multi-domain certificate originally designed to secure Microsoft Exchange and Office Communications servers. It works the same as a SAN certificate and can secure multiple domain names with one certificate.
Quick Reference
| Command | Description |
|---|---|
openssl s_client -connect host:443 -servername host | Connect and view the certificate chain |
echo | openssl s_client -connect host:443 -servername host 2>/dev/null | openssl x509 -noout -text | Decode a live certificate to text |
echo | openssl s_client -connect host:443 -servername host 2>/dev/null | openssl x509 -noout -dates | Show validity dates of a live certificate |
openssl x509 -in certificate.crt -noout -text | Inspect a certificate file on disk |
openssl x509 -in certificate.crt -noout -subject -issuer | Show subject and issuer of a file |
For a printable quick reference, see the openssl cheatsheet .
FAQ
What is the difference between SSL and TLS?
They are versions of the same kind of protocol. SSL is the older name and every SSL version is now deprecated and insecure. TLS is the current protocol. “SSL certificate” and “TLS certificate” mean the same file.
Are SSL/TLS certificates free?
Yes. Let’s Encrypt
issues free domain-validated certificates that are trusted by all major browsers. Paid certificates mainly add organization validation and support, not stronger encryption.
How do I check when a certificate expires?
Run echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates and read the notAfter value.
Does a certificate mean a website is safe?
No. A valid certificate confirms the connection is encrypted and that you are talking to the server that controls the domain. It does not guarantee the site itself is trustworthy.
Conclusion
An SSL/TLS certificate encrypts traffic and proves a site controls its domain, and the validation level and coverage decide how much it verifies and how many names it secures. Once you have one in place, set up an HTTP to HTTPS redirect in Nginx or in Apache so every visitor uses the secure connection.
Linuxize Weekly Newsletter
A quick weekly roundup of new tutorials, news, and tips.
About the authors
Dejan Panovski
Dejan Panovski is the founder of Linuxize, an RHCSA-certified Linux system administrator and DevOps engineer based in Skopje, Macedonia. Author of 800+ Linux tutorials with 20+ years of experience turning complex Linux tasks into clear, reliable guides.
View author page