Frequently Asked Questions About SSL/TLS Certificates

What is an SSL certificate?

An SSL certificate (Secure Sockets Layer) is a cryptographic protocol that provides secure communication between a user and a server. The modern standard is TLS (Transport Layer Security), but SSL is still used as a term.

Why do I need an SSL certificate?

SSL certificates encrypt data, protect against man-in-the-middle attacks, build user trust, and positively affect SEO (search engines prefer HTTPS).

What does an SSL certificate contain?

A certificate contains:
  • Owner information (CN, organization, country)
  • Expiration date
  • Serial number
  • Public key
  • Digital signature of the Certificate Authority (CA)

What are the types of SSL certificates?

Certificates are classified by validation level:
  • DV (Domain Validation) — only domain ownership is verified.
  • OV (Organization Validation) — organization and domain are verified.
  • EV (Extended Validation) — strictest validation, shows a green bar in some browsers.
And by coverage:
  • Single-domain — covers one domain.
  • Wildcard — covers one domain and all its subdomains.
  • Multi-domain (SAN) — one certificate for multiple domains.

When should I use DV, OV, or EV certificates?

DV — for blogs, personal sites, MVPs.
OV — for business sites that need organizational identity.
EV — for banks, government, and financial institutions.

What are common SSL certificate and key file formats?

SSL certificates and keys come in several file formats, each suited to specific use cases:
  • .PEM (Privacy-Enhanced Mail) — Base64 encoded ASCII files. Commonly used in Linux/Apache/OpenSSL. Extensions: .pem, .crt, .cer, .key.
  • .DER (Distinguished Encoding Rules) — Binary format of a certificate, mostly used in Java platforms. Extension: .der.
  • .PFX/.P12 (PKCS#12) — Binary format that stores certificate, intermediate CAs, and private key in one encrypted file. Used in Windows/IIS. Extensions: .pfx, .p12.
  • .CRT/.CER — Usually PEM or DER encoded certificate file (no private key). Interchangeable depending on encoding.
  • .KEY — Contains the private key, often in PEM format. Should be kept secure and never shared.
When to use which:
  • Use .PEM for Apache, Nginx, HAProxy, and most Linux-based services.
  • Use .PFX for Windows environments like IIS and for importing into Windows Certificate Store.
  • Use .DER if required by Java-based applications (e.g., Tomcat with keytool).

What is OpenSSL?

OpenSSL is an open-source library that implements SSL and TLS protocols. It is used to create certificates, generate keys, create Certificate Signing Requests (CSR), verify certificates, and more.

How does HTTPS/SSL work?

HTTPS uses SSL/TLS to establish a secure connection. When connecting, the browser checks the server’s certificate, initiates a TLS handshake, and establishes an encrypted channel for communication.

Common errors and how to fix them

Java: javax.net.ssl.SSLHandshakeException — make sure the certificate is in the truststore: keytool -import -trustcacerts -file cert.pem -keystore cacerts
Node.js: Error: self signed certificate — set rejectUnauthorized: false (not recommended in production)
Python: SSL: CERTIFICATE_VERIFY_FAILED — use requests.get(url, verify=False) or install the CA cert
Android: NetworkSecurityPolicy — configure network_security_config.xml
Windows: Import the certificate into “Trusted Root Certification Authorities” via certmgr.msc

How to get a free SSL certificate?

You can get a free SSL certificate from Let’s Encrypt, a nonprofit Certificate Authority. Use tools like Certbot to automatically obtain and renew certificates. Alternatives include ZeroSSL and Buypass.

How to install SSL on Nginx / Apache?

For Nginx:
ssl_certificate /etc/ssl/certs/your_cert.pem;
ssl_certificate_key /etc/ssl/private/your_key.pem;
For Apache:
SSLEngine on
SSLCertificateFile /etc/ssl/certs/your_cert.pem
SSLCertificateKeyFile /etc/ssl/private/your_key.pem
Restart the web server after applying changes.

How to check certificate expiration?

Use OpenSSL:
openssl x509 -in your_cert.pem -noout -enddate
Or check remotely:
openssl s_client -connect yoursite.com:443 | openssl x509 -noout -enddate

What is a certificate chain?

A certificate chain is a hierarchy from your server certificate to the root CA, often including intermediate CAs. It ensures trust by linking your certificate to a trusted root.

How to generate a Certificate Signing Request (CSR)?

Use OpenSSL:
openssl req -new -newkey rsa:2048 -nodes -keyout your.key -out your.csr
This creates a private key and a Certificate Signing Request (CSR) to be sent to a Certificate Authority.

How to redirect HTTP to HTTPS?

Nginx:
server {
  listen 80;
  return 301 https://$host$request_uri;
}
Apache (.htaccess):
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

How to use certificates in Docker / Kubernetes?

Docker: Mount certificates using volumes:
docker run -v /local/certs:/etc/ssl cert-based-image
Kubernetes: Use secrets:
kubectl create secret tls my-cert --cert=cert.pem --key=key.pem
Then mount the secret in a pod and configure the container to use the path.

How to fix ERR_CERT_COMMON_NAME_INVALID?

This error means the certificate’s Common Name (CN) or Subject Alternative Name (SAN) does not match the domain name.
  • Ensure the domain name used matches exactly the CN or SAN in the certificate.
  • Use wildcard certificates or SANs to cover subdomains.
  • Regenerate the certificate with the correct domain if needed.

How to create a self-signed certificate?

Use OpenSSL:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.pem

How to renew an SSL certificate?

You cannot extend an expired certificate; you must generate a new one, sign it, and reinstall it. Some ACME clients like Certbot handle this automatically.