FreeTool
Network Tools

SSL/TLS Certificates Explained (Without the Jargon)

What HTTPS certificates do, why browsers warn you, and how to check expiry and chain issues on your own domains.

7 min read

Security lock concept

When you see the padlock in the browser, TLS (often still called SSL) is encrypting traffic between you and the server. A certificate binds a public key to a hostname (and sometimes a company identity) so your browser can verify you are talking to the real site, not an impostor on the same Wi‑Fi.

What the certificate actually proves

  • Domain Validation (DV) — You control the domain; visitors get encryption but limited identity proof.
  • Organization Validation (OV) / Extended Validation (EV) — Stronger checks on the legal entity; EV used to show green bar branding but is less prominent in modern browsers.

For most sites, free DV certificates from Let’s Encrypt are enough: encryption + automated renewal.

The certificate chain

Browsers trust root CAs shipped in the OS. Your server sends leaf cert + intermediates; the browser chains up to a trusted root. If an intermediate is missing, some clients show “certificate not trusted” even though OpenSSL on your laptop looks fine.

Always configure your server to serve the full chain your CA documents.

Expiry and renewal

Certificates expire. Let’s Encrypt issues short-lived certs (90 days) to encourage automation. Set ACME renewal (Certbot, Caddy, Traefik, or your host’s panel) and monitor failures.

Expired certificates break:

  • HTTPS for users
  • APIs that pin TLS or use strict clients
  • Webhooks if your receiver validates outbound TLS poorly

hostname mismatch

A cert for www.example.com may not cover example.com unless SAN entries include both—or you use a wildcard *.example.com (which does not cover the bare apex).

Use our SSL Checker to see expiry, issuer, and hostname coverage from the public internet’s perspective.

DNS before TLS

TLS depends on clients reaching the right IP. After migrations, confirm A/AAAA/CNAME records with DNS Lookup before you spend time debugging cipher suites.

If HTTP redirects misbehave, the HTTP Status Checker helps verify 301/302 chains from httphttps.

Practical checklist

  • Enable HTTPS everywhere; redirect HTTP with 301
  • Serve HSTS only after you are sure all subdomains support HTTPS
  • Automate renewal and alert on < 14 days to expiry
  • Test from mobile networks and corporate proxies, not only your office

HTTPS is table stakes for SEO, security, and user trust—and fixing chain or hostname issues is usually faster than it feels once you know what to look for.

Back to all articlesBrowse tools