TLS/SSL Certificates: What They Are and Why They Matter
A beginner-friendly guide to TLS/SSL certificates. Learn how TLS works, the different types of certificates, how to check certificate validity, and why HTTPS is essential.
SiteGraph Team
Security Research at AnantaHQ
When you visit a website with HTTPS in the address bar, a TLS/SSL certificate is working behind the scenes to secure your connection. These certificates are the foundation of secure web communication, and every website owner should understand the basics.
What Is a TLS/SSL Certificate?
A TLS (Transport Layer Security) certificate — still commonly referred to as SSL (Secure Sockets Layer) — is a digital certificate that authenticates a website's identity and enables an encrypted connection between a web server and a browser. It's what turns HTTP into HTTPS.
Think of it like a passport for your website. The certificate verifies your identity and ensures that all data exchanged between the visitor's browser and your server is encrypted and cannot be intercepted or tampered with.
How TLS Works
TLS uses a process called the TLS handshake to establish a secure connection:
- Client hello: The browser sends its supported TLS versions and cipher suites to the server.
- Server hello + certificate: The server responds with its chosen TLS version, cipher suite, and its TLS certificate (which includes its public key).
- Certificate verification: The browser verifies the certificate against trusted Certificate Authorities (CAs).
- Key exchange: The browser and server create session keys for symmetric encryption.
- Secure connection: All subsequent data is encrypted using the session keys.
Types of TLS Certificates
Domain Validation (DV)
DV certificates are the most basic type. The CA verifies only that you control the domain — usually by asking you to add a DNS record or upload a file to your website. DV certificates can be obtained in minutes and are often free (e.g., Let's Encrypt).
Best for: Personal sites, blogs, and small businesses.
Organization Validation (OV)
OV certificates require the CA to verify your organization's legal existence and identity in addition to domain ownership. The certificate includes your organization's name.
Best for: Business websites, e-commerce stores, and organizations that want to prove their legitimacy.
Extended Validation (EV)
EV certificates have the strictest verification process. The CA conducts a thorough vetting of the organization's legal, physical, and operational existence. EV certificates were historically indicated by a green address bar in browsers (though this has changed in modern browsers).
Best for: Financial institutions, large enterprises, and high-security applications.
Certificate Validity Periods
Modern TLS certificates have a maximum validity of 398 days (reduced from the previous 3-year maximum). This shorter lifespan improves security by ensuring certificates are more frequently renewed, reducing the window of vulnerability if a private key is compromised.
Automated certificate management tools like Certbot (Let's Encrypt) make renewal effortless by handling it automatically before expiration.
Checking TLS Certificates with SiteGraph
SiteGraph checks TLS certificates as part of every website scan. We report the certificate issuer, validity dates, days until expiry, TLS version, and SAN (Subject Alternative Name) domains. This helps you identify certificates that are about to expire or have configuration issues.
A valid, properly configured TLS certificate is essential for SEO (Google uses HTTPS as a ranking signal), security (protecting user data), and user trust (browsers mark HTTP sites as "Not Secure").
SiteGraph Team
Security Research at AnantaHQ