DEV Community

Azad Shukor
Azad Shukor

Posted on

Understanding SSL/TLS Certificates

#webdev #networking #security #beginners

The Name Game: SSL vs TLS

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are often used interchangeably, but here's the reality: SSL is dead. It hasn't been updated since 1996 and is riddled with security vulnerabilities. Everything we use today is actually TLS.

So why do we still hear "SSL" everywhere? Simple—it was the first name people learned, so the industry stuck with it for marketing. When you purchase an "SSL Certificate" today, you're actually getting a certificate that enables TLS.

What Does TLS Actually Do?

Think of TLS as a secure tunnel between two computers. When you click "Proceed to Payment" on a website, TLS creates an encrypted tunnel to transmit your payment information to the payment processor (like Visa or Stripe). Without TLS, anyone could intercept and read that data.

The Trust Problem: Certificate Authorities

Here's the million-dollar question: how do you know the tunnel is actually secure and going to the right place? You need someone to verify the certificate's legitimacy—kind of like an immigration officer checking your passport at the border.

In the TLS world, these "immigration officers" are called Certificate Authorities (CAs). Popular CAs include:

  • Let's Encrypt
  • Google Trust Services
  • Cloudflare
  • DigiCert
  • GoDaddy

How It Works: The Certificate Process

Step 1: Generate the Certificate Signing Request (CSR)

First, you generate a certificate locally or on your server. This creates two files:

# Generate a private key
openssl genrsa -out private.key 2048

# Generate a CSR using the private key
openssl req -new -key private.key -out certificate.csr
Enter fullscreen mode Exit fullscreen mode

This gives you:

  • Private Key (private.key) - Keep this SECRET on your server, never share it
  • Certificate Signing Request (certificate.csr) - Send this to the CA

Step 2: CA Verification

You submit your CSR to a Certificate Authority. They'll verify:

  • Is this a legitimate company?
  • Do you actually own/control this domain?
  • Is the information accurate?

For domain validation, the CA might ask you to:

  • Add a DNS record
  • Upload a specific file to your website
  • Respond to an email sent to your domain

Step 3: Receive the Signed Certificate

After verification, the CA returns a signed certificate with their cryptographic signature. This is your "stamped passport."

# You'll receive something like this
certificate.crt  # Your signed certificate
ca-bundle.crt    # The CA's chain of trust
Enter fullscreen mode Exit fullscreen mode

Step 4: Install on Your Server

Now you configure your server to use both the private key and the signed certificate.

Example for Nginx:

server {
    listen 443 ssl;
    server_name yourdomain.com;

    ssl_certificate /path/to/certificate.crt;
    ssl_certificate_key /path/to/private.key;

    # Modern TLS configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
}
Enter fullscreen mode Exit fullscreen mode

Example for Apache:

<VirtualHost *:443>
    ServerName yourdomain.com

    SSLEngine on
    SSLCertificateFile /path/to/certificate.crt
    SSLCertificateKeyFile /path/to/private.key
    SSLCertificateChainFile /path/to/ca-bundle.crt
</VirtualHost>
Enter fullscreen mode Exit fullscreen mode

The Full Handshake (What Happens Behind the Scenes)

When a user visits your site:

  1. Client Hello: Browser says "Hey, I want to connect securely"
  2. Server Hello: Server responds with its certificate (the one signed by the CA)
  3. Certificate Verification: Browser checks if the certificate is signed by a trusted CA
  4. Key Exchange: They agree on encryption keys for the session
  5. Encrypted Communication: All data flows through the secure tunnel 
// This is what happens when you make an HTTPS request
fetch('https://api.example.com/payment', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    cardNumber: '4242424242424242',
    amount: 99.99
  })
});

// TLS encrypts everything in that request body automatically
// Without TLS, anyone on the network could read your card number
Enter fullscreen mode Exit fullscreen mode

Why You Should Care

Without TLS:

  • ❌ Passwords sent in plain text
  • ❌ Credit cards visible to attackers
  • ❌ Session tokens can be stolen
  • ❌ Data can be modified in transit

With TLS:

  • ✅ Everything encrypted end-to-end
  • ✅ Authenticity verified by CAs
  • ✅ Protection from man-in-the-middle attacks
  • ✅ That reassuring padlock in the browser

Quick Start with Let's Encrypt (Free!) 

# Install Certbot
sudo apt install certbot python3-certbot-nginx

# Get a certificate and auto-configure Nginx
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com

# Auto-renewal is set up automatically
# Certificates are valid for 90 days
Enter fullscreen mode Exit fullscreen mode

That's it. You now have TLS up and running, and your users can browse safely through that secure tunnel.

Top comments (0)