Learn · Foundations

How TLS certificates secure the internet.

By Updated

A TLS certificate proves a website is who it claims to be and enables an encrypted connection between browser and server. It’s the technology behind the padlock — and HTTPS itself.

Try a free domain scan See the handshake
7 min readFoundations
TLS handshake
Client Hellobrowser proposes ciphers1
Certificateserver sends its cert2
Verifyclient checks the chain3
Encrypted sessionkeys exchanged, secure4
Definition

A TLS certificate (often called an SSL certificate) is a digital file that binds a public key to a domain name. It lets a browser verify a server’s identity and negotiate an encrypted session, turning HTTP into HTTPS.

How TLS works

From handshake
to encrypted session.

1
Handshake begins

The browser connects and the server presents its TLS certificate.

2
Identity check

The browser validates the certificate chain up to a trusted root.

3
Key exchange

Both sides agree on session keys using the certificate’s public key.

4
Encrypted traffic

All data flows encrypted — this is HTTPS in action.

Anatomy of a certificate

What’s inside a
TLS certificate.

SSL vs TLS

SSL is the deprecated predecessor; TLS is its modern, secure successor. The term “SSL certificate” persists, but the protocol is TLS.

Certificate fields

Subject, issuer, validity dates, public key, and signature — the core attributes a browser inspects.

SANs

Subject Alternative Names let one certificate cover multiple domains and hostnames.

Wildcards

A wildcard certificate (*.example.com) secures every subdomain under a domain.

Why expiration matters

A valid certificate is
only valid for so long.

Every cert expires

Validity periods are shrinking toward 47 days.

Expiry breaks HTTPS

An expired cert makes browsers refuse the connection.

SANs multiply risk

One expired multi-domain cert can break many sites.

Wildcards concentrate it

A wildcard’s expiry takes down every subdomain at once.

Weak crypto ages out

Old algorithms and short keys must be rotated.

Automation is the fix

Continuous discovery and auto-renewal keep HTTPS up.

FAQ

TLS certificates,
answered.

A TLS certificate is a digital file issued by a Certificate Authority that binds a public key to a domain name. It lets a browser verify a website’s identity and establish an encrypted connection — the foundation of HTTPS.
SSL (Secure Sockets Layer) is the original, now-deprecated protocol. TLS (Transport Layer Security) is its modern, more secure successor. People still say “SSL certificate,” but today the protocol used is TLS.
The browser and server negotiate a connection: the server presents its certificate, the browser verifies the chain of trust, both sides exchange keys using the certificate’s public key, and from then on all traffic is encrypted.
Subject Alternative Names (SANs) are additional domains and hostnames a single certificate can secure, so one cert can cover example.com, www.example.com, api.example.com, and more.
A wildcard certificate uses an asterisk (e.g. *.example.com) to secure all subdomains under a domain with a single certificate. Convenient, but its expiry affects every subdomain at once.
Expiration limits how long a compromised or outdated certificate can be misused and forces periodic re-validation. Maximum validity is shrinking toward 47 days to improve security.
Browsers display a security warning and refuse to establish the connection, effectively taking the website or service offline until the certificate is renewed.
MachineCert discovers every TLS certificate across your infrastructure, monitors expiry and risk, and automates renewal — so HTTPS never breaks because a certificate quietly expired.
Keep learning

Related topics

What is a Certificate AuthorityWho issues TLS certificates.PKI managementTrust at enterprise scale.Certificate lifecycle managementThe lifecycle, explained.Certificate discoveryFind every TLS cert you own.47-day readinessShorter TLS lifetimes.Renewal automationKeep HTTPS from breaking.
See it in practice

Check your TLS certificates now.

Run a free domain scan to see every TLS certificate, its expiry, and its risk in one inventory.

Book a demo
See MachineCert in action