SSL/TLS Security 12 min read

Complete Guide to SSL/TLS Certificates

SSL/TLS certificates are essential for website security, encrypting data between your server and visitors. This comprehensive guide covers everything you need to know about choosing, installing, and maintaining SSL certificates.

Check Your SSL Certificate

What is SSL/TLS?

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols that provide secure communication over the internet. When you see the padlock icon in your browser's address bar, it means the website is using SSL/TLS encryption.

Why SSL/TLS Matters

  • Data Encryption: Protects sensitive information like passwords and credit cards
  • Authentication: Verifies you're connected to the legitimate website
  • SEO Ranking: Google uses HTTPS as a ranking signal
  • User Trust: Visitors trust sites with the padlock icon
  • Compliance: Required for PCI DSS, HIPAA, and other regulations

Types of SSL Certificates

TypeValidationBest ForCost
DV (Domain Validated)Domain ownership onlyBlogs, personal sitesFree - $50/year
OV (Organization Validated)Domain + OrganizationBusiness websites$50 - $200/year
EV (Extended Validation)Extensive verificationE-commerce, banks$100 - $500/year
WildcardCovers subdomainsMultiple subdomains$100 - $500/year

How to Get an SSL Certificate

Option 1: Let's Encrypt (Free)

Let's Encrypt provides free DV certificates. Here's how to install using Certbot:

Bash - Ubuntu/Debian
# Install Certbot
sudo apt update
sudo apt install certbot python3-certbot-nginx

# Get certificate for Nginx
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

# Auto-renewal is set up automatically
# Test renewal with:
sudo certbot renew --dry-run

Option 2: Commercial CA

For OV/EV certificates, purchase from providers like DigiCert, Sectigo, or GlobalSign.

Installation Guide

Nginx Configuration

Nginx - /etc/nginx/sites-available/yourdomain
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name yourdomain.com www.yourdomain.com;

    # SSL Certificate
    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;

    # SSL Configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers off;

    # HSTS (optional but recommended)
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # Your site configuration...
    root /var/www/yourdomain;
    index index.html;
}

# Redirect HTTP to HTTPS
server {
    listen 80;
    listen [::]:80;
    server_name yourdomain.com www.yourdomain.com;
    return 301 https://$server_name$request_uri;
}

Apache Configuration

Apache - /etc/apache2/sites-available/yourdomain-ssl.conf
<VirtualHost *:443>
    ServerName yourdomain.com
    ServerAlias www.yourdomain.com
    DocumentRoot /var/www/yourdomain

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/yourdomain.com/chain.pem

    # Modern SSL Configuration
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder off
</VirtualHost>

# Redirect HTTP to HTTPS
<VirtualHost *:80>
    ServerName yourdomain.com
    Redirect permanent / https://yourdomain.com/
</VirtualHost>

Troubleshooting Common Issues

Certificate chain is incomplete

This error means intermediate certificates are missing. Include the full chain:

  • Ensure you're using fullchain.pem not just cert.pem
  • Download intermediate certificates from your CA
  • Concatenate certificates in order: server → intermediate → root
Mixed content warnings

Some resources are loaded over HTTP. To fix:

  • Update all resource URLs to HTTPS
  • Use protocol-relative URLs (//example.com/image.png)
  • Add CSP header: upgrade-insecure-requests
Certificate expired

Set up automatic renewal:

  • Let's Encrypt: sudo certbot renew
  • Add a cron job: 0 0 1 * * certbot renew
  • Use our SSL Checker to monitor expiration

SSL/TLS Best Practices

Security Checklist

  • Use TLS 1.2 or 1.3 only (disable older versions)
  • Enable HSTS (HTTP Strict Transport Security)
  • Use strong cipher suites
  • Enable OCSP stapling for faster verification
  • Redirect all HTTP traffic to HTTPS
  • Include all subdomains in your certificate
  • Set up certificate expiration monitoring
  • Regularly test with an SSL checker

Related Security Tools

SSL Certificate Checker

Test your SSL configuration and get a security grade

Security Headers Analyzer

Check HSTS and other security headers

Ready to Check Your SSL Configuration?

Use our free SSL Checker to verify your certificate is properly installed and configured.

Check Your SSL Now