SSL Certificates Explained: Types, Installation and Troubleshooting

March 31, 2026 · 12 min read

SSL/TLS certificates are the foundation of secure web communication. They encrypt data transmitted between browsers and servers, authenticate website identity, and have become essential for SEO rankings and user trust. If you've ever seen a padlock icon in your browser's address bar, you've encountered an SSL certificate in action.

This comprehensive guide covers everything you need to know about SSL certificates—from understanding the different types to installation, troubleshooting, and maintenance. Whether you're securing your first website or managing enterprise infrastructure, you'll find practical insights and actionable solutions here.

What Is an SSL Certificate?

An SSL (Secure Sockets Layer) certificate is a digital document that binds a cryptographic key pair to a domain name or organization. Despite the name, modern certificates actually use the TLS (Transport Layer Security) protocol—SSL's successor—but the term "SSL certificate" remains widely used.

At its core, an SSL certificate serves three critical functions:

• Encryption: Scrambles data so only the intended recipient can read it
• Authentication: Proves the website is who it claims to be
• Data Integrity: Ensures data hasn't been tampered with during transmission

When you visit a website with HTTPS (the "S" stands for Secure), your browser performs a TLS handshake with the server. During this process, the browser verifies that the certificate is valid, issued by a trusted Certificate Authority (CA), matches the domain you're visiting, and hasn't expired.

Without a valid SSL certificate, browsers display prominent "Not Secure" warnings that can drive visitors away. Modern browsers also restrict powerful features—like geolocation, camera access, and service workers—to HTTPS-only contexts for security reasons.

How SSL/TLS Encryption Works

Understanding the TLS handshake process helps demystify how SSL certificates protect your data. Here's what happens in the milliseconds after you request a secure webpage:

1. Client Hello: Your browser sends supported TLS versions and cipher suites to the server
2. Server Hello: The server responds with its chosen protocol version and cipher suite
3. Certificate Transmission: The server sends its SSL certificate and public key
4. Certificate Verification: Your browser validates the certificate against trusted CAs
5. Key Exchange: Both parties establish a shared session key using asymmetric encryption
6. Secure Communication: All subsequent data is encrypted with symmetric encryption using the session key

This process uses two types of encryption. Asymmetric encryption (public/private key pairs) secures the initial handshake, while symmetric encryption (shared session key) handles the actual data transfer because it's much faster.

The certificate itself contains several key pieces of information:

• Domain name(s) the certificate is valid for
• Organization details (for OV and EV certificates)
• Public key
• Issuing Certificate Authority
• Validity period (issue and expiration dates)
• Digital signature from the CA

Your browser maintains a list of trusted root CAs. When it receives a certificate, it verifies the CA's digital signature to ensure the certificate is legitimate and hasn't been tampered with.

Certificate Types: DV, OV, and EV

SSL certificates come in three validation levels, each offering the same encryption strength but different levels of identity verification. Choosing the right type depends on your website's purpose and your visitors' expectations.

Domain Validation (DV) Certificates

DV certificates verify only that you control the domain. The CA confirms ownership by checking DNS records or requiring you to upload a specific file to your web server. This process is fully automated and typically completes within minutes.

Best for: Blogs, personal websites, small business sites, development environments

Advantages:

• Issued in minutes, often instantly
• Fully automated issuance and renewal
• Free options available (Let's Encrypt)
• Same encryption strength as OV/EV

Limitations:

• No organization identity verification
• Certificate details show only the domain name
• May not inspire confidence for e-commerce sites

Organization Validation (OV) Certificates

OV certificates verify both domain control and organization legitimacy. The CA conducts business verification, checking government databases and contacting the organization directly. This process typically takes 1-3 business days.

Best for: Business websites, corporate sites, organizations wanting to display verified identity

Advantages:

• Organization name appears in certificate details
• Provides identity assurance to visitors
• Suitable for business-to-business transactions

Limitations:

• Requires manual verification process
• Costs more than DV certificates
• Takes longer to issue

Extended Validation (EV) Certificates

EV certificates require the most rigorous verification process, including legal, physical, and operational existence checks. The CA verifies the organization's legal status, physical address, and that the person requesting the certificate has authority to do so.

Best for: Financial institutions, e-commerce platforms, government sites, high-security applications

Advantages:

• Highest level of identity assurance
• Demonstrates commitment to security
• May reduce fraud and increase customer confidence

Limitations:

• Most expensive option
• Verification takes 1-2 weeks
• Browsers removed the green address bar indicator in 2019
• Requires annual re-verification

Let's Encrypt: Free SSL for Everyone

Let's Encrypt revolutionized web security by offering free, automated SSL certificates trusted by all major browsers. Launched in 2016 by the Internet Security Research Group (ISRG), it has issued over 3 billion certificates and helped encrypt more than 300 million websites.

The project's mission is simple: make HTTPS the default for the entire web by removing cost and complexity barriers. Let's Encrypt certificates are DV certificates with 90-day validity periods, designed specifically for automation.

Why 90 Days?

The short validity period might seem inconvenient, but it's actually a security feature:

• Limits exposure: If a private key is compromised, the window of vulnerability is shorter
• Encourages automation: Forces best practices around automated renewal
• Reduces impact of revocation: Certificates expire quickly anyway, reducing reliance on revocation checking

Setting Up Let's Encrypt with Certbot

Certbot is the official Let's Encrypt client that automates certificate issuance and renewal. Here's how to set it up on common platforms:

For Nginx on Ubuntu/Debian:

sudo apt update
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d example.com -d www.example.com

For Apache on Ubuntu/Debian:

sudo apt update
sudo apt install certbot python3-certbot-apache
sudo certbot --apache -d example.com -d www.example.com

Certbot will automatically:

1. Verify domain ownership via HTTP-01 or DNS-01 challenge
2. Generate a private key and certificate signing request (CSR)
3. Obtain the certificate from Let's Encrypt
4. Install the certificate in your web server configuration
5. Set up automatic renewal via cron or systemd timer

Alternative ACME Clients

While Certbot is the most popular, other ACME (Automatic Certificate Management Environment) clients offer different features:

• acme.sh: Lightweight shell script, minimal dependencies
• Caddy: Web server with automatic HTTPS built-in
• Traefik: Reverse proxy with automatic Let's Encrypt integration
• cert-manager: Kubernetes-native certificate management

Wildcard Certificates

Let's Encrypt supports wildcard certificates (e.g., *.example.com) that cover all subdomains. These require DNS-01 validation, where you add a TXT record to your DNS zone:

sudo certbot certonly --manual --preferred-challenges dns -d *.example.com

For automated wildcard renewals, use a DNS plugin that integrates with your DNS provider:

sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials ~/.secrets/cloudflare.ini -d *.example.com

Installing SSL Certificates

Installing an SSL certificate varies by web server and hosting environment. Here are detailed instructions for the most common scenarios.

Manual Installation on Nginx

If you're using a commercial certificate or need manual installation, follow these steps:

1. Obtain your certificate files: You'll receive a certificate file (certificate.crt), intermediate certificates (ca_bundle.crt), and you'll have your private key (private.key)
2. Combine certificate and intermediate certificates:

cat certificate.crt ca_bundle.crt > fullchain.pem

3. Update your Nginx configuration:

server {
    listen 443 ssl http2;
    server_name example.com www.example.com;

    ssl_certificate /etc/nginx/ssl/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/private.key;
    
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    
    # Additional security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    
    # Your site configuration...
}

4. Test and reload:

sudo nginx -t
sudo systemctl reload nginx

Manual Installation on Apache

For Apache servers, the process is similar:

1. Enable SSL module:

sudo a2enmod ssl
sudo a2ensite default-ssl

2. Update your virtual host configuration:

<VirtualHost *:443>
    ServerName example.com
    ServerAlias www.example.com
    
    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/certificate.crt
    SSLCertificateKeyFile /etc/apache2/ssl/private.key
    SSLCertificateChainFile /etc/apache2/ssl/ca_bundle.crt
    
    # Your site configuration...
</VirtualHost>

3. Test and restart:

sudo apachectl configtest
sudo systemctl restart apache2

Cloud Platform Installation

Major cloud providers offer managed SSL certificate services:

AWS Certificate Manager (ACM): Free certificates for AWS resources (CloudFront, ALB, API Gateway). Automatic renewal, no manual installation required.

Google Cloud Load Balancing: Managed certificates with automatic provisioning and renewal. Configure through the GCP Console or gcloud CLI.

Azure App Service: Free managed certificates or bring your own. Automatic binding and renewal for App Service domains.

Fixing Mixed Content Issues

After installing an SSL certificate, you might encounter mixed content warnings. This occurs when an HTTPS page loads resources (images, scripts, stylesheets) over HTTP. Browsers treat this as a security risk because unencrypted resources can be intercepted or modified.

Types of Mixed Content

Active Mixed Content: Scripts, stylesheets, iframes, and other resources that can alter page behavior. Browsers block these entirely, breaking functionality.

Passive Mixed Content: Images, audio, and video. Modern browsers display warnings but may still load these resources.

Identifying Mixed Content

Use your browser's developer console to find mixed content warnings:

1. Open DevTools (F12 or Cmd+Option+I)
2. Check the Console tab for warnings like "Mixed Content: The page at 'https://example.com' was loaded over HTTPS, but requested an insecure resource"
3. Use the Network tab to filter by "http://" requests

You can also use our SSL Checker to scan for mixed content issues automatically.

Common Fixes

1. Update hardcoded URLs:

Search your codebase for http:// references and update them to https://:

grep -r "http://" /path/to/your/site

2. Use protocol-relative URLs:

For external resources, use protocol-relative URLs that inherit the page's protocol:

<!-- Instead of -->
<script src="http://example.com/script.js"></script>

<!-- Use -->
<script src="//example.com/script.js"></script>

3. Update database content:

For WordPress sites, use a plugin like Better Search Replace or run SQL queries:

UPDATE wp_posts 
SET post_content = REPLACE(post_content, 'http://example.com', 'https://example.com');

4. Configure CDN for HTTPS:

Ensure your CDN serves content over HTTPS. Most CDNs (Cloudflare, CloudFront, Fastly) support HTTPS by default.

5. Implement Content Security Policy:

Use CSP headers to upgrade insecure requests automatically:

Content-Security-Policy: upgrade-insecure-requests;

Add this to your web server configuration or as a meta tag:

<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">

Third-Party Content Issues

If third-party services don't support HTTPS:

• Contact the provider and request HTTPS support
• Find an alternative service that supports HTTPS
• Use a proxy service to serve the content over HTTPS
• Remove the resource if it's not critical

Certificate Renewal and Expiration

SSL certificates don't last forever. Proper renewal management is critical—an expired certificate effectively takes your site offline, displaying scary browser warnings that drive away visitors.

Certificate Validity Periods

Let's Encrypt: 90-day validity, designed for automated renewal. Certbot automatically renews certificates when they have 30 days or less remaining.

Commercial Certificates: Maximum 398 days (approximately 13 months) since September 2020. Previously, certificates could be valid for up to 3 years, but the industry moved to shorter periods for security reasons.

Automated Renewal with Certbot

Certbot installs a systemd timer or cron job that runs twice daily to check for expiring certificates:

Check renewal timer status:

sudo systemctl status certbot.timer

View cron job:

sudo cat /etc/cron.d/certbot

Test renewal process:

sudo certbot renew --dry-run

Force renewal (if needed):

sudo certbot renew --force-renewal

Monitoring Certificate Expiration

Set up monitoring to alert you before certificates expire. Recommended alert thresholds:

• 30 days: First warning, time to investigate if auto-renewal isn't working
• 14 days: Urgent warning, manual intervention may be needed
• 7 days: Critical alert, immediate action required

Use monitoring tools like:

• SSL Labs: Free monitoring service with email alerts
• Uptime Robot: Monitors SSL expiration along with uptime
• Prometheus + Alertmanager: Self-hosted monitoring with blackbox_exporter
• CloudWatch (AWS): Built-in monitoring for ACM certificates

You can also check expiration dates manually with OpenSSL:

echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

Common Renewal Failures

Port 80 blocked: HTTP-01 validation requires port 80 to be accessible. Ensure firewall rules allow inbound traffic.

Web server misconfiguration: Certbot needs to place validation files in .well-known/acme-challenge/. Check that this path isn't blocked by your configuration.

DNS issues: For DNS-01 validation, ensure DNS records are properly configured and propagated.

Rate limits: Let's Encrypt has rate limits (50 certificates per registered domain per week). Avoid unnecessary renewal attempts.

Renewal Best Practices

• Test renewal automation immediately after initial setup
• Monitor renewal logs regularly: sudo cat /var/log/letsencrypt/letsencrypt.log
• Set up email notifications for renewal failures
• Document your renewal process for team members
• Keep Certbot updated: sudo apt update && sudo apt upgrade certbot
• Have a backup plan for manual renewal if automation fails

Common SSL Problems and Solutions

Even with proper setup, SSL issues can arise. Here are the most common problems and how to fix them.

Certificate Name Mismatch

Error: "The certificate is only valid for [domain]"

Cause: The certificate's Common Name (CN) or Subject Alternative Names (SAN) don't match the domain you're accessing.

Solutions:

• Ensure you requested the certificate for the correct domain(s)
• Include both example.com and www.example.com in your certificate
• Use a wildcard certificate for multiple subdomains
• Check that your DNS points to the correct server

Certificate Chain Issues

Error: "Unable to verify the first certificate" or "Certificate chain incomplete"

Cause: