SSL Certificates Explained Without the Jargon

An SSL certificate (technically a TLS certificate — SSL was deprecated years ago, but the name stuck) is a digital document that proves a server's identity and enables encrypted connections. When your browser connects to an HTTPS site, the server presents its certificate and your browser decides whether to trust it. The mechanism for making that decision is a surprisingly complex chain of trust.

What a Certificate Contains

A certificate includes the domain name it's valid for, the organisation it was issued to (for OV and EV certificates), the issuing Certificate Authority, the validity period (typically 1 year), and a public key. When your browser connects to the server, it uses this public key to verify the server's identity and establish encryption. The private key never leaves the server.

The Certificate Authority System

Certificate Authorities (CAs) are organisations trusted to verify domain ownership and issue certificates. Your browser and OS ship with a list of trusted root CAs — about 150 of them. A certificate signed by any of these CAs (or by an intermediate CA they've authorised) is trusted by your browser.

This system has a critical weakness: if any trusted CA is compromised or behaves maliciously, it can issue fraudulent certificates for any domain. DigiNotar, a Dutch CA, was compromised in 2011 and issued fake certificates for Google, Mozilla, and others. It was removed from the trusted list and went bankrupt within weeks. The incident exposed how fragile the CA trust model is.

Certificate Transparency

Certificate Transparency is a requirement (since 2018 for Chrome) that all publicly trusted certificates be logged in public, append-only logs. This means any certificate issued for your domain — including fraudulent ones — is publicly visible. Domain owners can monitor CT logs for unauthorized certificates. It doesn't prevent bad certificates from being issued, but it makes them impossible to hide.

Here's the thing — CT logs have caught several misissuance incidents early, allowing fraudulent certificates to be revoked before significant abuse occurred. The transparency requirement has meaningfully improved the overall health of the CA ecosystem.

Let's Encrypt Changed Everything

Before Let's Encrypt launched in 2015, DV certificates cost money — typically $50-300 per year per domain. Let's Encrypt made them free, automated, and renewable every 90 days. HTTPS adoption went from around 40% of web traffic in 2015 to over 85% by 2021. The barrier to encrypting web traffic effectively dropped to zero, which is a clear win for web security.