Back to Blog
Security

SSL Certificates Explained Without the Jargon

By Kunal KhatriMar 7, 2026
SSL Certificates Explained Without the Jargon

An SSL certificate (technically a TLS certificate — SSL was deprecated years ago, but the name stuck) is a digital document that proves a server's identity and enables encrypted connections. When your browser connects to an HTTPS site, the server presents its certificate and your browser decides whether to trust it. The mechanism for making that decision is a surprisingly complex chain of trust.

What a Certificate Contains

A certificate includes the domain name it's valid for, the organisation it was issued to (for OV and EV certificates), the issuing Certificate Authority, the validity period (typically 1 year), and a public key. When your browser connects to the server, it uses this public key to verify the server's identity and establish encryption. The private key never leaves the server.

The Certificate Authority System

Certificate Authorities (CAs) are organisations trusted to verify domain ownership and issue certificates. Your browser and OS ship with a list of trusted root CAs — about 150 of them. A certificate signed by any of these CAs (or by an intermediate CA they've authorised) is trusted by your browser.

This system has a critical weakness: if any trusted CA is compromised or behaves maliciously, it can issue fraudulent certificates for any domain. DigiNotar, a Dutch CA, was compromised in 2011 and issued fake certificates for Google, Mozilla, and others. It was removed from the trusted list and went bankrupt within weeks. The incident exposed how fragile the CA trust model is.

Certificate Transparency

Certificate Transparency is a requirement (since 2018 for Chrome) that all publicly trusted certificates be logged in public, append-only logs. This means any certificate issued for your domain — including fraudulent ones — is publicly visible. Domain owners can monitor CT logs for unauthorized certificates. It doesn't prevent bad certificates from being issued, but it makes them impossible to hide.

The transparency requirement has actually worked. CT logs have caught several misissuance incidents early, allowing fraudulent certificates to be revoked before significant abuse occurred. Not a perfect system, but meaningfully better than what existed before.

Let's Encrypt Changed Everything

Before Let's Encrypt launched in 2015, DV certificates cost money — typically $50-300 per year per domain. Let's Encrypt made them free, automated, and renewable every 90 days. HTTPS adoption went from around 40% of web traffic in 2015 to over 85% by 2021. The barrier to encrypting web traffic effectively dropped to zero, which is a clear win for web security.

Certificate Pinning: The Aggressive Defence

Certificate pinning is a technique where an application rejects any certificate except the specific one (or set of ones) it was programmed to accept. Rather than trusting the entire CA system, a pinned application trusts only its own server's certificate. If someone intercepts traffic with a different certificate — even a legitimately CA-signed one — the connection fails. Mobile apps in finance and healthcare commonly implement this.

The downside is operational. If a pinned certificate expires or needs to be rotated, every version of the app that pins the old certificate stops working until users update. Google removed HTTP Public Key Pinning (HPKP) from Chrome in 2018 after several high-profile cases where websites misconfigured it and accidentally locked themselves out of HTTPS for months. The protection is real. The operational risk is also real. Most sites rely on the CA trust system rather than pinning.

Check IP Security and Reputation

See whether your server IP has any flags in security and blacklist databases.

Run Security Check
KK

About Kunal Khatri

Kunal is a network security specialist and systems administrator with 8+ years of experience auditing secure connections and building network infrastructure.

Share this article: