SSL/TLS Certificates


SSL/TLS certificate is an integral part of how web servers can securely communicate via the hypertext transfer protocol (HTTP) with clients such as web browsers through the SSL/TLS handshake process. There are two important roles that the SSL/TLS certificate plays: first, it establishes the web server as genuinely belonging to the domain owner (trust), and second, it facilitates the secure transmission of information between the client and the web server (encryption).

Encryption alone is not enough to prevent information from getting into the hands of malicious actors; without properly establishing trust, one could be securely transmitting encrypted information into a web server owned by a malicious actor (who can then decrypt the information and steal your data!).

Content of a SSL/TLS certificate

An SSL/TLS certificate typically contains the following information to establish trust:

  1. The domain name for which the certificate was issued
  2. The person, organization, or device responsible for the certificate
  3. The certificate authority (CA) issuing the certificate
  4. The digital signature of the certificate authority
  5. Associated subdomains (if any)
  6. Start and end dates of the certificate’s validity period

This information helps to secure a domain from domain spoofing attacks by preventing attackers from being able to create a fake version of the website. If the certificate cannot be properly validated, browsers will typically return a warning or prevent you from accessing the website.

To facilitate encryption, the SSL/TLS certification also contains the following information:

  • The public key associated with the private key of the web server associated with the domain (the private key is held only by the web server)

The public key is a long and random string of numbers that is used in the SSL/TLS handshake process to establish the session keys that will be used for data encryption and decryption during the session.

Self-signed SSL/TLS certificates

There is a special type of TLS/SSL certificate called the self-signed certificate. This certificate is so-called self-signed because the certificate is not issued by a CA. This certificate can be generated by anyone and contains all the information in a typical TLS/SSL certificate. Since the certificate is not issued by a CA, the self-signed certificate is signed using the website’s own private key.

While a self-signed TLS/SSL certificate can provide the same function of encrypting information to prevent it from being read while in transit, it unfortunately cannot help to establish the trust between a domain owner and the web server owner. Therefore, it is not a good idea to trust self-signed certificates, unless you've deployed the self-signed certificates on your own (non-production) server!

Note: Some "Intranets" rely on self-signed certificates as traditional methods of Domain Validation (DV) cannot be completed (and thus no CA is willing to issue a certificate to the entity).



HTTP is a protocol used to connect to web servers by web browsers to request content to view. This is also used to transfer larger files, and is often used for software updates.

SSL (Secure Sockets Layer)

The Secure Sockets Layer (SSL) is a protocol by which servers can establish trust to a client.

TLS (Transport Layer Security)

TLS, or Transport Layer Security (TLS) is a successor to SSL-based encryption.