TLS vs SSL: What's the Difference?

  • SSL: Secure Sockets Layer (1995)—deprecated, has known vulnerabilities
  • TLS: Transport Layer Security (1999)—SSL's successor, what we actually use today
  • HTTPS: HTTP + TLS = encrypted web traffic. The padlock means TLS is active
  • Fun fact: Everyone says 'SSL certificate' but they mean TLS. SSL 3.0 was disabled in 2015

Certificate Fields Explained

  • Subject (CN): Who the cert is issued TO—usually the domain name (example.com)
  • Issuer: Who SIGNED the cert—the Certificate Authority (Let's Encrypt, DigiCert, etc.)
  • SANs: Subject Alternative Names—additional domains covered (www, api, mail subdomains)
  • Valid From/To: The cert's lifespan. Max is now 398 days (browsers enforce this)
  • Serial Number: Unique ID from the CA—used for revocation tracking

Certificate Types

  • DV (Domain): Proves you control the domain. Cheapest, fastest (Let's Encrypt = free!)
  • OV (Organization): Verifies the company exists. Shows org name in cert details
  • EV (Extended): Rigorous vetting process. Used to show green bar (browsers removed this)
  • Wildcard: *.example.com covers all subdomains (but not sub-subdomains)
  • Multi-domain: One cert for multiple unrelated domains via SANs

Common Certificate Errors

  • ERR_CERT_DATE_INVALID → Certificate expired or not yet valid (check server time!)
  • ERR_CERT_COMMON_NAME_INVALID → Domain doesn't match CN or SANs
  • ERR_CERT_AUTHORITY_INVALID → Self-signed or unknown CA (missing intermediate cert?)
  • ERR_CERT_REVOKED → CA revoked this cert (compromised key, mis-issuance)
  • NET_ERR_CERT_WEAK_KEY → RSA key too short (need 2048+ bits since 2013)

The Certificate Chain

  • Your cert → Intermediate CA → Root CA (trust anchor in browser/OS)
  • Servers must send the full chain (except root)—missing intermediates break mobile!
  • Root CAs are pre-installed in browsers (about 150 trusted roots exist)
  • Certificate Transparency: All certs are logged publicly (crt.sh lets you search them)

Key Algorithms in 2024

  • RSA 2048: Still common, minimum acceptable size, being phased out
  • RSA 4096: More secure but slower handshakes—overkill for most sites
  • ECDSA P-256: Smaller keys, faster than RSA, now the default choice
  • Ed25519: Even faster, gaining support, not yet universal

Let's Encrypt Changed Everything

  • Launched 2015: Free, automated, open Certificate Authority
  • Issues 400+ million active certificates (50%+ of the web)
  • 90-day certs encourage automation (certbot auto-renews)
  • Killed the $100+/year certificate industry for basic DV certs
  • Founded by EFF, Mozilla, and others to encrypt the entire web

CLI Commands for Certificates

  • openssl s_client -connect example.com:443 → Fetch cert from live server
  • openssl x509 -in cert.pem -text -noout → Decode local PEM file
  • openssl verify -CAfile ca.pem cert.pem → Verify chain
  • curl -vI https://example.com 2>&1 | grep -A6 'Server certificate' → Quick check