What is SSL/TLS? A Complete Guide for 2026 – CertNotify

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols that provide encrypted communications over computer networks. Understanding them is essential for anyone running a website, API, or web application.

The Difference Between SSL and TLS

Technically, SSL is the older protocol. Netscape developed SSL 1.0, 2.0, and 3.0 in the 1990s. TLS is the modern replacement, with TLS 1.0 released in 1999, followed by TLS 1.1, TLS 1.2, and TLS 1.3 (the current standard, released in 2018).

Despite this, the industry still colloquially says "SSL certificate" when referring to what is technically a TLS certificate. The important thing to understand is that all modern SSL/TLS certificates use TLS under the hood — SSL 2.0 and 3.0 are deprecated and insecure.

⚠️ Important: If your server still supports SSL 3.0 or TLS 1.0/1.1, you are vulnerable. These versions have known weaknesses including POODLE and BEAST attacks. Upgrade to TLS 1.2 or TLS 1.3 immediately.

How TLS Works: The Handshake

When your browser connects to a website over HTTPS, a TLS handshake occurs. Here is what happens step by step:

Client Hello: Your browser sends supported TLS versions, cipher suites, and a random number to the server.
Server Hello: The server responds with the chosen TLS version and cipher suite, plus its digital certificate.
Certificate Verification: Your browser validates the server's certificate against trusted Certificate Authorities (CAs).
Key Exchange: Both parties use asymmetric encryption to securely agree on a session key.
Encrypted Communication: All further data is encrypted using the agreed session key (symmetric encryption).

Types of SSL/TLS Certificates

There are three main types of SSL/TLS certificates, differentiated by their level of validation:

Domain Validated (DV)

The CA only verifies that you control the domain. Issued within minutes. Best for blogs, personal sites, and development environments.

Organization Validated (OV)

The CA verifies both domain ownership and basic organization information. Takes 1–3 days. Best for businesses and SaaS applications.

Extended Validation (EV)

The most rigorous validation, confirming legal identity of the organization. Takes 1–5 business days. Best for financial institutions and e-commerce.

What is a Certificate Authority (CA)?

A Certificate Authority is a trusted organization that issues digital certificates. When your browser sees a certificate signed by a trusted CA, it trusts the identity of the server. The most widely recognized CAs include DigiCert, Sectigo, GlobalSign, and Let's Encrypt (a free, open CA).

Operating systems and browsers maintain a list of trusted root CAs. If a certificate is signed by an authority not on this list — or if the chain of trust is broken — users will see a security warning.

Why SSL/TLS Certificates Expire

SSL/TLS certificates have an intentional expiry period. The industry standard has moved to a maximum of 397 days (about 13 months). Apple, Google, and Mozilla all enforce this in their root store policies. The reason for expiry is security: shorter lifetimes reduce the window of exposure if a private key is compromised.

When a certificate expires, browsers display a hard error to users — a full-page warning that blocks access. This causes immediate loss of traffic, trust, and conversions. This is why monitoring certificate expiry is not optional — it is a critical part of any website's operational health.

Key Takeaways

TLS is the modern, secure protocol — SSL is its legacy predecessor.

All modern HTTPS connections use TLS 1.2 or TLS 1.3.

Certificates expire — typically within 13 months — and must be renewed.

A broken or expired certificate blocks all user access to your site.

Monitoring your certificates proactively prevents costly downtime.

Monitor Your SSL Certificates for Free

Get alerts 30, 14, and 7 days before your certificates expire. No credit card required.

Start Free Monitoring