SSL Certificates Explained: What Developers Need to Know | Corco Labs

HTTPS is no longer optional. Browsers mark HTTP sites as “Not Secure,” Google uses HTTPS as a ranking factor, and users expect the padlock icon.

But SSL certificates can fail in subtle ways. Expired certificates, misconfigured chains, and hostname mismatches cause errors that drive users away. Understanding how SSL works helps you avoid these problems.

How SSL/TLS Actually Works

SSL (and its successor TLS) encrypts the connection between a browser and your server. The process:

Browser connects to your server on port 443
Server presents certificate with its public key
Browser verifies the certificate against trusted Certificate Authorities (CAs)
Key exchange establishes an encrypted session
Data flows securely in both directions

If any step fails, users see a warning or error.

What’s in an SSL Certificate

A certificate contains:

Subject: The domain(s) the certificate covers
Issuer: The Certificate Authority that signed it
Validity period: Start and expiration dates
Public key: Used for initial encryption
Signature: The CA’s cryptographic endorsement

Certificate Types

Type	Validation	Use Case
DV (Domain Validation)	Automated	Most websites
OV (Organization Validation)	Company verified	Business sites
EV (Extended Validation)	Extensive vetting	Banks, e-commerce

DV certificates are free (via Let’s Encrypt) and perfectly secure. OV and EV provide additional identity verification but don’t encrypt better.

Common SSL Problems

Expired Certificates

Certificates have a maximum lifetime (currently 398 days for public CAs). When they expire, browsers show scary warnings:

Your connection is not private. Attackers might be trying to steal your information.

Most users won’t proceed past this warning. Even a few hours of expiration can cost you significant traffic.

Certificate Chain Issues

Your certificate is signed by an intermediate CA, which is signed by a root CA. The full chain must be presented:

Root CA (trusted by browser)
  └── Intermediate CA
        └── Your Certificate

If you only serve your certificate without the intermediate, some browsers will fail validation.

Hostname Mismatch

A certificate for example.com won’t work for www.example.com unless:

It includes both in the Subject Alternative Name (SAN)
It’s a wildcard certificate (*.example.com)

Mismatched hostnames trigger browser warnings.

Mixed Content

If your page loads over HTTPS but includes HTTP resources (images, scripts, stylesheets), browsers may block those resources or show warnings.

<!-- This will be blocked or cause warnings on an HTTPS page -->
<img src="http://example.com/image.jpg" />

<!-- Use protocol-relative or HTTPS -->
<img src="https://example.com/image.jpg" />
<img src="//example.com/image.jpg" />

Weak Configuration

Even with a valid certificate, your SSL configuration might be insecure:

Old TLS versions (TLS 1.0, 1.1 are deprecated)
Weak cipher suites
Missing security headers (HSTS)

What to Check in Your SSL Setup

Certificate Details

Not expired: Check the “Valid To” date
Correct domain: Matches your actual hostname
Trusted issuer: Recognized Certificate Authority
Strong signature: SHA-256 or better (SHA-1 is deprecated)

Certificate Chain

Complete chain: All intermediates included
Valid chain: Each certificate signed by its parent
No expired intermediates: Chain certificates can expire too

Server Configuration

TLS 1.2+: Disable TLS 1.0 and 1.1
Strong ciphers: Prefer ECDHE for forward secrecy
HSTS enabled: Forces HTTPS connections
No mixed content: All resources over HTTPS

Checking Your Certificate

You can inspect certificates manually:

Click the padlock in your browser
View certificate details
Check expiration and chain

But this only shows what your browser sees. Different clients might see different results based on:

Operating system trust stores
Intermediate certificate caching
TLS version support

For a complete view, use our SSL Certificate Checker. It analyzes:

Certificate validity and expiration
Full certificate chain
Issuer and signature algorithm
Days until expiration
Common configuration issues

It’s the same checks a browser performs, but with detailed explanations of any problems.

Automating Certificate Renewal

Most certificate problems come from forgotten renewals. Automate this:

Let’s Encrypt with Certbot

# Initial setup
sudo certbot --nginx -d example.com -d www.example.com

# Auto-renewal (usually set up automatically)
sudo certbot renew --dry-run

Monitoring Expiration

Set up alerts before certificates expire:

Most hosting providers offer this
Uptime monitoring services check SSL
Our SSL Certificate Checker shows days remaining

We recommend renewing at least 30 days before expiration. Let’s Encrypt certificates last 90 days and renew automatically at 60 days.

SSL and SEO

Google confirmed HTTPS as a ranking signal in 2014. While it’s a minor factor compared to content quality, it’s an easy win:

Rankings: Small boost for HTTPS sites
Trust: Users expect the padlock
Referrer data: HTTP referrers to HTTPS sites are preserved
HTTP/2: Requires HTTPS in practice (browsers only support it over TLS)

Security Headers That Complement SSL

SSL encrypts the connection, but security headers add additional protection:

HSTS (HTTP Strict Transport Security)

Tells browsers to always use HTTPS:

Strict-Transport-Security: max-age=31536000; includeSubDomains

Content Security Policy

Controls which resources can load:

Content-Security-Policy: default-src 'self'; img-src 'self' https:;

Check these with our Security Headers Checker.

Troubleshooting SSL Errors

”Certificate has expired”

Renew the certificate immediately. If using Let’s Encrypt, run:

sudo certbot renew --force-renewal

“Certificate is not trusted”

Usually a chain issue. Ensure your server sends the full chain, not just the leaf certificate.

”Hostname mismatch”

The certificate doesn’t cover the domain you’re accessing. Get a certificate that includes all your domains.

Mixed content warnings

Find and fix HTTP resources. Browser developer tools show which resources are blocked.

Take Action

Run your domain through our SSL Certificate Checker to verify everything is configured correctly. If you find issues, address them in this order:

Expired certificates (breaks everything)
Chain problems (breaks some browsers)
Weak configuration (security risk)
Missing HSTS (missed security opportunity)

If you need help with SSL configuration or security audits, reach out.