A Simple Guide to SSL/TLS Certificates: What They Are, How They Work, and How to Get One

Introduction

Ever noticed the little padlock icon in your browser's address bar when you visit websites like your bank or an online store? That tiny symbol represents a powerful security mechanism that keeps your data safe while traveling across the internet. Behind that padlock is something called an SSL/TLS certificate.

In today's digital world, where data breaches and privacy concerns dominate headlines, understanding the basics of web security isn't just for IT professionals anymore. Whether you're a website owner, a developer, or just someone who cares about online privacy, knowing how SSL/TLS certificates work can help you make better decisions about your digital safety.

This guide breaks down what digital certificates are, why they're essential for website security, and how you can implement them yourself. No computer science degree required—promise!

What is a Digital Certificate?

A digital certificate is essentially an electronic document that serves two critical functions:

1. It confirms that a website is who it claims to be (authentication)
2. It enables encrypted connections between browsers and web servers (security)

Think of it as a digital ID card that websites use to prove their identity to your browser. Without certificates, anyone could create a fake version of your bank's website, and you'd have no reliable way to tell the difference.

When you visit a website that has a valid certificate, your browser displays "HTTPS" in the address bar (instead of just "HTTP") along with that reassuring padlock icon. This visual cue tells you that your connection to the site is encrypted and secure.

What Is an SSL/TLS Certificate?

SSL (Secure Sockets Layer) and its more modern successor TLS (Transport Layer Security) certificates are the standard technology for keeping internet connections secure and safeguarding sensitive data.

Purpose: Identity Verification + Encryption

SSL/TLS certificates serve two primary purposes:

• Identity Verification: They confirm that the website you're connecting to is legitimate and not an impostor.
• Encryption: They establish encrypted connections that prevent hackers from reading or modifying data as it travels between your browser and the website.

Components of a Certificate

A typical SSL/TLS certificate contains:

• Public Key: Used to establish the encrypted connection
• Subject: The identity of the website or organization (domain name, business name)
• Issuer: The Certificate Authority (CA) that verified and issued the certificate
• Validity Period: Start and expiry dates
• Digital Signature: From the issuing CA to prevent tampering
• Serial Number: A unique identifier for the certificate

Types of SSL/TLS Certificates

There are three main types of certificates, each with different levels of validation:

1. Domain Validation (DV) Certificates: The most basic type, verifying only domain ownership. Quick to obtain but provide minimal trust signals to visitors.

2. Organization Validation (OV) Certificates: Verify both domain ownership and some business information. Provide more trust than DV certificates.

3. Extended Validation (EV) Certificates: The highest level of validation, requiring extensive verification of the organization's identity. These certificates used to turn the address bar green in browsers (though this visual indicator has been phased out in most modern browsers).

Role of Certificate Authorities (CAs)

Certificate Authorities are trusted third parties that issue certificates after verifying the requester's identity. Well-known CAs include:

• DigiCert
• Let's Encrypt (free)
• Comodo/Sectigo
• GoDaddy
• GlobalSign

The entire system relies on browsers trusting these CAs. Your browser comes pre-loaded with a list of trusted root certificates from major CAs, which enables the chain of trust necessary for the system to work.

How HTTPS Works with Certificates

When you connect to a website using HTTPS, your browser and the web server perform a complex dance called the "TLS handshake." This process establishes a secure connection before any actual data is transmitted.

TLS Handshake Overview

The TLS handshake happens in milliseconds and involves several steps:

1. Client Hello: Your browser sends a message to the server indicating it wants to establish a secure connection and listing the encryption methods it supports.

2. Server Hello: The server responds by selecting an encryption method and sending its SSL/TLS certificate.

3. Certificate Validation: Your browser verifies that the certificate is valid, trusted, and matches the domain you're trying to visit.

4. Key Exchange: Both sides exchange information to create a shared secret key that will be used for encrypting the actual data.

5. Secure Connection Established: Both sides confirm they're ready to begin encrypted communication.

Public/Private Key Encryption Explained

SSL/TLS uses a combination of asymmetric (public-private key) and symmetric encryption:

• Asymmetric Encryption: Uses two different but mathematically related keys. What one key encrypts, only the other can decrypt. This is used during the initial handshake.

• Symmetric Encryption: Uses a single key that both parties know. This is much faster than asymmetric encryption and is used for the actual data transfer after the handshake.

The clever part is how these are combined: the certificate contains the server's public key, which is used to securely exchange the symmetric key that will be used for the rest of the session.

What Is a Certificate Signing Request (CSR)?

A Certificate Signing Request is the first step in obtaining an SSL/TLS certificate. It's a block of encoded text that contains information about the entity requesting the certificate and the public key that will be included in the certificate.

Definition and Purpose

A CSR is essentially an application for a digital certificate. When you generate a CSR, you're creating a request that contains all the information a CA needs to create a certificate specifically for your domain or organization.

Information Included in a CSR

A typical CSR includes:

• Common Name (CN): The fully qualified domain name (e.g., www.example.com)
• Organization (O): Your company or entity name
• Organizational Unit (OU): Department within the organization (e.g., IT, Marketing)
• Locality (L): City
• State/Province (ST): Full state or province name
• Country (C): Two-letter country code (e.g., US, UK)
• Email Address: Administrative contact

Here's what a CSR might look like in encoded form:

-----BEGIN CERTIFICATE REQUEST-----
MIICzjCCAbYCAQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
MRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMRQwEgYDVQQKDAtFeGFtcGxlIEluYzEX
MBUGA1UECwwOSVQgRGVwYXJ0bWVudDEdMBsGA1UEAwwUd3d3LmV4YW1wbGVjb21w
YW55LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMzDlS+1OT9/
... (additional encoded data) ...
9Qq1LqyNDnwCl5LyUxey+n6K2FRCMGzW5kBNUlpP4/SVVvP+H18aA3aOl3LN6Odl
56FaAU8=
-----END CERTIFICATE REQUEST-----

Why You Can't Use the Same CSR for Multiple Certificates

In most cases, you can't reuse a CSR for multiple certificates because:

1. The CSR contains a unique public key that corresponds to a specific private key
2. Certificate details like expiration dates would be inconsistent
3. Some CAs track CSRs to prevent duplication or fraud

There are some exceptions for wildcard or multi-domain certificates, but generally, it's best practice to generate a fresh CSR for each certificate request.

Creating a CSR and Private Key

Creating a CSR is straightforward using OpenSSL, a widely available open-source toolkit for SSL/TLS.

Using OpenSSL to Generate a Private Key and CSR

The following command generates both a new private key and a CSR in one step:

openssl req -new -newkey rsa:2048 -nodes -keyout mydomain.key -out mydomain.csr

Let's break down what each flag means:

• req -new: Create a new CSR
• -newkey rsa:2048: Generate a new 2048-bit RSA key pair
• -nodes: Don't encrypt the private key (No DES encryption)
• -keyout mydomain.key: File to write the private key to
• -out mydomain.csr: File to write the CSR to

Example Breakdown of Input Prompts

When you run this command, you'll be prompted to enter various details:

Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: California
Locality Name (eg, city) []: San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]: DevOps Horizon
Organizational Unit Name (eg, section) []: Education Department
Common Name (e.g. server FQDN or YOUR name) []: www.devopshorizon.com
Email Address []: admin@devopshorizon.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

The most important field is the Common Name, which must exactly match the domain you want to secure. For a wildcard certificate that covers all subdomains, you would use *.devopshorizon.com.

Getting an SSL Certificate from a CA

Once you have your CSR, the next step is to submit it to a Certificate Authority to receive your actual SSL/TLS certificate.

Submitting the CSR to a Certificate Authority

The submission process varies by CA but generally involves:

1. Creating an account with the CA
2. Selecting the type of certificate you want
3. Pasting your CSR into a form or uploading the CSR file
4. Completing the payment (for paid certificates)

Validation Process

Depending on the certificate type you choose, the CA will perform different levels of validation:

• Domain Validation (DV): Usually automated and quick (minutes to hours). Typically involves sending an email to an address associated with the domain or asking you to place a specific file on your web server.

• Organization Validation (OV): Takes longer (days) as the CA verifies your organization's information in addition to domain ownership.

• Extended Validation (EV): The most rigorous process (weeks), involving detailed verification of your business's legal existence, physical location, and operational status.

Receiving the Certificate

After validation, you'll receive your certificate files, typically in formats like:

• PEM (.pem, .crt, .cer): Base64 encoded text files, the most common format
• PKCS#7 (.p7b, .p7c): Contains certificate(s) but not the private key
• PKCS#12 (.pfx, .p12): Contains both certificate(s) and private key in a single encrypted file

Most CAs will also provide intermediate certificates that establish the chain of trust from your certificate to the CA's trusted root certificate.

Free vs Paid CAs

While paid certificates from providers like DigiCert, GoDaddy, or Comodo have traditionally dominated the market, Let's Encrypt has revolutionized web security by offering free, automated certificates.

Let's Encrypt advantages:

• Free of charge
• Automated renewal process
• Same encryption strength as paid certificates
• Widely trusted by browsers

Paid CA advantages:

• Extended validation options
• Longer validity periods (up to 2 years vs 90 days for Let's Encrypt)
• Warranty coverage
• Enhanced customer support

For most websites, a free Let's Encrypt certificate provides more than adequate security. However, large e-commerce sites or financial institutions might benefit from the additional features of paid certificates.

Conclusion

SSL/TLS certificates are a fundamental component of web security, providing both authentication and encryption. By understanding how they work and how to obtain them, you're better equipped to secure your own web properties and recognize secure connections when browsing online.

While the technical details might seem complex, the tools and services available today make implementing SSL/TLS certificates more accessible than ever. Whether you choose a free service like Let's Encrypt or invest in a certificate from a commercial CA, the important thing is that you're taking steps to protect your users' data and build trust in your online presence.

At DevOps Horizon, we believe that understanding security fundamentals is essential for anyone working in technology today. By implementing proper SSL/TLS certificates, you're not just following best practices—you're contributing to a safer, more secure internet for everyone.