SSL/TLS Complete Guide: How HTTPS Encryption Works, Certificate Chains, and Common Errors

Key Takeaways

SSL is effectively dead — TLS 1.2 and 1.3 are the standards; "SSL certificate" is just legacy terminology
The handshake establishes a symmetric key — asymmetric crypto (RSA/ECDHE) is only used for the key exchange
Certificate chains have 3 levels: root CA → intermediate CA → leaf certificate; roots are in browser/OS trust stores
Let's Encrypt issues 90-day certificates free — over 300 million active certificates as of 2024
TLS 1.3 is faster: 1-RTT handshake vs 2-RTT for TLS 1.2; 0-RTT resumption for returning connections

SSL vs TLS: Why the Names Are Confusing

Netscape invented SSL (Secure Sockets Layer) in 1995. SSL 3.0 was standardized in 1996 but deprecated in 2015 due to the POODLE vulnerability. The IETF took over the protocol, renamed it TLS (Transport Layer Security), and released TLS 1.0 in 1999. TLS 1.1 and 1.2 followed. TLS 1.3 was finalized in 2018 and is now the standard.

When we say "SSL certificate" today, we mean a TLS certificate. The certificate format (X.509) hasn't changed — only the protocol negotiating how it's used. SSL 3.0, TLS 1.0, and TLS 1.1 are all deprecated by major browsers and should not be used.

Protocol	Status	Notes
SSL 2.0 (1995)	❌ Broken	Never secure; multiple critical vulnerabilities
SSL 3.0 (1996)	❌ Deprecated	POODLE attack 2014; RFC 7568 prohibits use
TLS 1.0 (1999)	❌ Deprecated	BEAST attack; deprecated by RFC 8996 (2021)
TLS 1.1 (2006)	❌ Deprecated	Deprecated by RFC 8996 (2021)
TLS 1.2 (2008)	✅ Supported	Still widely used; secure with correct cipher suites
TLS 1.3 (2018)	✅ Recommended	Faster, more secure; mandatory for new deployments

The Certificate Chain of Trust

When your browser connects to a site, it receives a certificate signed by an intermediate Certificate Authority (CA), which was signed by a root CA. Your operating system and browser ship with a trust store containing ~150 root CA certificates from organizations like DigiCert, Let's Encrypt, Comodo, and sectigo.

The browser validates the chain: is the leaf certificate signed by the intermediate? Is the intermediate signed by a trusted root? Is the certificate within its validity period? Does the domain match? Is the certificate revoked (checked via OCSP or CRL)? If any step fails, you get a browser warning.

ERR_CERT_AUTHORITY_INVALID

Cause: Certificate signed by an unknown/untrusted root, or self-signed certificate. Fix: Use a certificate from a trusted CA (Let's Encrypt is free). For internal tools, install your internal CA's root cert in the OS/browser trust store.

ERR_CERT_DATE_INVALID

Cause: Certificate expired or not yet valid. Fix: Renew the certificate. Let's Encrypt's certbot can auto-renew via a cron job. 90-day certificates force you to automate this — which is actually the point.

Mixed Content Warning

Cause: HTTPS page loads resources (images, scripts, CSS) over HTTP. Fix: Update all resource URLs to HTTPS. Use a Content Security Policy with upgrade-insecure-requests. Check with Chrome DevTools Network tab filtered to "http:".

Let's Encrypt and the Certificate Transparency Log

Let's Encrypt, launched in 2016 by the Internet Security Research Group (ISRG), provides free, automated TLS certificates. As of 2024, it has issued over 3 billion certificates and serves over 300 million active domains. The 90-day expiry is intentional — it encourages automation and limits damage from key compromise.

Certificate Transparency (CT) logs are public, append-only records of every certificate issued. Browsers now require CT proof in certificates. This means if a rogue CA issues a certificate for your domain, it appears in the public log and can be detected — Google's CT monitoring caught several misissuance incidents from DigiCert and Symantec.

Check Your SSL Certificate

SSL Certificate Checker

Check any domain's SSL certificate expiry, issuer, chain validity, and supported TLS versions. Get alerts before your certificate expires.

Check SSL Certificate →