Ultimate SSL Certificate Tutorial & HTTPS Explained
Introduction to SSL & HTTPS
When users see a padlock 🔒 in their browser, it means the website is using HTTPS secured by an SSL certificate. But what exactly does that mean? Today we will cover all about SSL in this exclusive SSL certificate tutorial.
SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols that enable encrypted communication between a web browser and server. HTTPS is simply HTTP with SSL/TLS applied — offering secure, private, and verified communication over the internet.
Without HTTPS, data (passwords, card info, logins) can be intercepted or manipulated. SSL ensures both data encryption and server identity verification.
📘 Table of Contents
🔄 How HTTPS Works
📡 What is SSL/TLS?
SSL/TLS uses asymmetric cryptography to exchange keys and symmetric encryption to transmit data securely.
Key components:
- Private Key: Kept on the server
- Public Key: Shared via the SSL certificate
- Certificate Authority (CA): Issues and verifies the SSL certificate
🤝 The SSL/TLS 3-Way Handshake
Here’s how a secure connection is established:
- Client Hello
- The browser sends a request to the server with supported SSL versions and a random key.
- Server Hello + Certificate
- Server responds with its SSL certificate and a random key.
- Key Exchange & Session Start
- The browser validates the certificate (via CA), shares a symmetric key (encrypted with the public key), and both begin encrypted communication.
🧩 Under the Hood: TCP 3-Way Handshake
Before SSL/TLS handshake begins, the underlying TCP connection must be established using a 3-way handshake:
- SYN: The client sends a TCP packet with the SYN (synchronize) flag to initiate a connection.
- SYN-ACK: The server responds with a SYN-ACK (synchronize-acknowledge) packet to accept and acknowledge the request.
- ACK: The client replies with an ACK (acknowledge) packet, completing the handshake.
🔁 At this point, the TCP connection is established. The browser and server can now begin the SSL/TLS handshake securely.
🧪 Example (captured via Wireshark or tcpdump):
Client → Server: SYN
Server → Client: SYN-ACK
Client → Server: ACK
Once the handshake is complete, all data is securely transmitted using the agreed encryption.
🏷️ Types of SSL Certificates
SSL certificates are classified based on:
🔹 Validation Level
| Type | Validates | Use Case |
|---|---|---|
| DV (Domain Validated) | Basic, Only domain ownership | Blogs, small websites and projects. |
| OV (Organization Validated) | Business info + domain | Businesses, Companies websites |
| EV (Extended Validation) | Full legal, domain & business vetting | Large Enterprise, Banks, eCommerce, Healthcare |
🔹 Domain Coverage
| Type | Coverage |
|---|---|
| Single Domain SSL | One domain only (e.g., example.com) |
| Wildcard SSL | One domain + all subdomains (e.g., *.example.com like app.example.com, blog.example.com) |
| Multi-Domain (SAN/UCC) | Multiple unrelated domains (e.g., example.com, site.org, store.net). Ideal for multi-site businesses |
🔐 Generating SSL Certificates: Keys, CSR, and Full Chain
Let’s install SSL certificate and for that we must first generate private key:
🔑 1. Private Key
This key remains confidential and is used to decrypt communication.
openssl genrsa -out domain.key 2048
📄 2. CSR (Certificate Signing Request)
A CSR includes your public key and domain details. It’s sent to a Certificate Authority.
openssl req -new -key domain.key -out domain.csr
You can also include SAN (Subject Alternative Names) using a custom openssl.cnf file.
🏷️ Note: Refer this tutorial if you are looking for complete guide to install Free Multi Domain SAN SSL Certs on NGINX/HTTPD
📜 3. SSL Certificate (Signed by CA)
After verification, the CA returns a signed certificate, e.g., domain.crt
🧷 4. Full Chain Certificate vs Normal Certificate
- Normal Cert (
domain.crt) contains your public certificate. - Full Chain (
fullchain.pem) includes your cert + intermediate CA certs. - Why it matters: Browsers need the full chain to trust the certificate. Always use
fullchain.pemwith Let’s Encrypt and similar providers.
🔄 SSL Certificate Encodings and Formats
SSL certs come in multiple formats, each used in specific platforms and tools:
📄 PEM (Privacy Enhanced Mail)
- Most common format
- Base64 encoded with
.pem,.crt,.keyextensions
📄 DER (Distinguished Encoding Rules)
- Binary format
- Used by Java systems
- Extension:
.der,.cer
📄 BASE64
- Encoding mechanism used in PEM
📦 PKCS#7 (.p7b)
- Used in Windows, Java
- Contains certs and chain, but no private key
🧪 PKCS#12 (.p12 / .pfx)
- Stores cert + private key + chain
- Used for Windows, browsers, and appliances
- Can be password-protected
openssl pkcs12 -export -out cert.p12 -inkey private.key -in domain.crt -certfile fullchain.pem
🧱 JKS (Java KeyStore)
- Java-specific keystore format
- Stores certs and private keys
- Managed with
keytoolinstead of OpenSSL
keytool -importkeystore -srckeystore cert.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS
🔄 SSL Certificate Encodings and Formats
Below are examples of converting certificate formats using OpenSSL:
🔁 Convert DER to PEM
If you received a certificate in .der format:
openssl x509 -inform der -in certificate.der -out certificate.pem🔁 Convert BASE64 (CRT/CER) to PEM
If your cert is in .crt or .cer format but you want PEM:
openssl x509 -in certificate.cer -out certificate.pem -outform PEM💸 Free vs Paid SSL Certificates
🆓 Free SSL (e.g. Let’s Encrypt)
- 100% free
- Ideal for personal or small business sites
- 90-day validity with auto-renewal
💼 Paid SSL
- Comes with support, warranties, and extended validations
- Required for high-security sites like banking, healthcare
🔧 Common Use Cases
- 🌐 Personal websites and blogs → DV or Let’s Encrypt
- 🏢 Corporate portals → OV SSL
- 🛍️ eCommerce or SaaS → EV + Multi-Domain
- 🚀 Dev/Test environments → Self-signed certs or free SSL
🔐 Best Practices for Managing SSL
- ✅ Use HSTS headers to force HTTPS
- ✅ Redirect all HTTP traffic to HTTPS (301 permanent redirect)
- ✅ Enable auto-renewal for Let’s Encrypt
- ✅ Monitor expiry with tools like SSL Labs
- ✅ Avoid mixed content issues (load all resources over HTTPS)
🔗 Related Articles You may Find Helpful
- Install Free SSL Certificate on Nginx/Apache
- Setup Nginx Reverse Proxy Like a Pro in 10 Minutes
- Contact Our Team for Help
- 📩 Subscribe to our newsletter for more DevOps, SRE & Cloud tutorials!
🌐 External References
✅ Conclusion & Call to Action
SSL and HTTPS are no longer optional — they’re essential for performance, trust, SEO, and user security.
Understanding how SSL certificates work — from types to encodings to installation — gives you a real DevOps and SRE advantage.
🔒 Ready to secure your infrastructure or want help setting up certificates? Get in touch with us today.
If you found this tutorial helpful, share it with your team or drop a comment below with any questions!
#DevOps #SRE #HTTPS #SSL #Certificates #Security #Let’sEncrypt #OpenSSL #Nginx #Apache #Linux
