An SSL certificate is a digital file installed on a web server that does two things: proves the server’s identity (authentication) and enables encrypted connections (HTTPS). When a site has a valid SSL certificate, its URL starts with https:// and browsers display a padlock icon.
The term “SSL certificate” is still used universally, but the underlying technology is now TLS (Transport Layer Security) — SSL was deprecated in 2015. When people say “SSL certificate,” they mean a TLS certificate.
What’s inside an SSL certificate
An SSL certificate is an X.509 file containing:
| Field | Example | Purpose |
|---|---|---|
| Subject (CN/SAN) | example.com, www.example.com | Domain(s) the certificate is valid for |
| Public key | ECDSA P-256 or RSA 2048 key | Used during TLS handshake to establish encryption |
| Issuer | Let’s Encrypt, DigiCert | The Certificate Authority that signed it |
| Validity dates | Not Before / Not After | Certificate expires after this period (90 days for LE) |
| Serial number | Unique hex string | Identifies this specific certificate |
| Signature | CA’s digital signature | Proves the certificate hasn’t been tampered with |
| Key usage | Digital Signature, Key Encipherment | What the certificate can be used for |
The server keeps a matching private key that can decrypt data encrypted with the certificate’s public key. This key pair is the foundation of HTTPS encryption.
How an SSL certificate works
When you visit https://example.com:
- Your browser requests the server’s SSL certificate
- The server sends the certificate (including its public key)
- Your browser checks: Is the certificate expired? Does the domain match? Is it signed by a trusted CA?
- If valid, the browser uses the public key to negotiate a shared session key
- All traffic is encrypted with the session key — no one in between can read it
This happens in milliseconds. Full technical walkthrough →
Types of SSL certificates
By validation level
| Type | Validates | Browser display | Cost | Best for |
|---|---|---|---|---|
| DV (Domain Validation) | Domain ownership | Padlock | Free (Let’s Encrypt) | 90%+ of websites |
| OV (Organization Validation) | Domain + organization | Padlock (same) | $50-200/year | Enterprise compliance |
| EV (Extended Validation) | Domain + thorough org audit | Padlock (same) | $100-500/year | Specific regulatory needs |
All three provide identical encryption. The difference is how much the CA verifies your identity — not how strong the encryption is. Detailed comparison →
By domain coverage
| Type | Covers | Example |
|---|---|---|
| Single-domain | One specific domain | example.com |
| Wildcard | Domain + all subdomains | *.example.com |
| Multi-domain (SAN) | Multiple specific domains | example.com + example.org |
How to get an SSL certificate
The fastest way — free, no installation required:
- Go to GetHTTPS
- Enter your domain name
- Complete domain verification (HTTP-01 or DNS-01)
- Download your certificate files
- Install on your server (Nginx, Apache, cPanel, others)
GetHTTPS generates your private key in your browser using the Web Crypto API — it never leaves your device. Full step-by-step guide →
Key vs Certificate — the difference
People often confuse these:
| File | What it is | Keep secret? |
|---|---|---|
Private key (privkey.pem) | Secret key that stays on your server. Decrypts incoming data. | Yes — never share |
Certificate (cert.pem) | Public file sent to every visitor. Contains your public key + CA signature. | No — it’s public by design |
Chain (chain.pem) | Intermediate CA certificate. Connects your cert to the root CA. | No |
Fullchain (fullchain.pem) | cert + chain combined. Most servers need this. | No |
| CSR | Temporary request file. Sent to the CA to request a certificate. | Discard after issuance |
SSL certificate cost
| Provider | Cost | Certificate type |
|---|---|---|
| Let’s Encrypt (via GetHTTPS) | Free | DV (same encryption as paid) |
| Buypass Go | Free | DV, 180-day validity |
| Sectigo / Comodo | $50-200/year | DV, OV, EV |
| DigiCert | $200-500/year | DV, OV, EV |
| GlobalSign | $100-400/year | DV, OV, EV |
Free certificates provide the same encryption as paid ones. Is paid SSL worth it? →
Common misconceptions
“SSL certificates encrypt data.” Not exactly. The certificate enables encryption by providing the public key and proving the server’s identity. The actual encryption is done by the TLS protocol using a session key negotiated during the handshake.
“More expensive = more secure.” No. All certificates use the same TLS encryption regardless of price. A free Let’s Encrypt certificate provides identical cryptographic security to a $500 EV certificate. Details →
“My site doesn’t need SSL.” Every site needs it. Without SSL, browsers show “Not Secure,” Google ranks you lower, and HTTP pages can be modified in transit. Chrome 154 (October 2026) will make HTTPS-First the default — HTTP sites will require explicit user permission to load.
Frequently asked questions
How long does an SSL certificate last?
Let’s Encrypt: 90 days. Paid certificates: up to 1 year (shrinking to 47 days by 2029). Certificates must be renewed before expiry or your site shows security warnings. How to renew →
Can I get an SSL certificate for free?
Yes. Let’s Encrypt issues free DV certificates — the same encryption as paid options. Over 300 million websites use them. Get one in 5 minutes with GetHTTPS.
Do I need a separate certificate for each domain?
Not necessarily. A wildcard certificate covers all subdomains (*.example.com). A SAN/multi-domain certificate covers multiple different domains. You can combine up to 100 domains in one Let’s Encrypt certificate.
What happens if my SSL certificate expires?
Browsers show a full-page security warning blocking visitors. Search engines may de-index your pages. How to check expiry → | How to renew →
Is a free SSL certificate safe for e-commerce?
Yes. PCI DSS requires encryption, not a specific certificate type. A free DV certificate meets the requirement. Your payment processor (Stripe, PayPal) handles the sensitive card data. Free vs paid comparison →
What’s the difference between SSL and HTTPS?
HTTPS is the result of applying TLS/SSL encryption to HTTP connections. The SSL certificate is what makes HTTPS possible — it provides the public key and identity proof that the TLS handshake requires.