What Is a TLS/SSL Certificate? A Complete Explanation

A TLS certificate (still widely called an SSL certificate) is the small data file that makes the padlock in your browser possible. It binds a public key to a domain name and lets clients verify they are talking to the right server over an encrypted connection. Here is what it contains, how it establishes trust, and why it always has an expiry date.

In short

A TLS/SSL certificate does two things at once: it encrypts the traffic between browser and server, and it authenticates the server — proving the domain is what it claims to be. Without the certificate, an attacker in the middle could read or tamper with the connection and no one would notice.

What a certificate contains

Subject — the domain(s) the certificate covers (e.g. example.com, or several via a SAN list).
Public key — one half of the key pair; the private key stays secret on the server.
Issuer — the Certificate Authority (CA) that issued and signed the certificate.
Validity period — a not before and not after timestamp. After not after, the certificate has expired.
Signature — the CA's cryptographic signature, which ties everything into a certificate chain up to a trusted root.

How trust is established

The browser does not trust the server directly — it trusts the CA that signed the certificate. The CA's root lives in the browser's and operating system's root store. When the server presents its certificate, the client follows the chain from the server's certificate up to a trusted root, checking every signature along the way. The validation level — DV, OV or EV — determines what the CA verified before issuing. You can choose between several CAs; see our guide to choosing the right CA.

SSL or TLS — what is it called?

SSL is the old protocol; TLS is its successor and what is actually used today. The industry still says "SSL certificate" out of habit, but technically it is a TLS certificate. We cover the difference in SSL vs TLS.

Why certificates expire

A certificate is a time-bound claim of identity. Short lifetimes limit the damage if a key leaks and force keys to be rotated regularly. Lifetimes keep getting shorter, which makes automation more important than ever. It is also why an expired certificate is one of the most common — and most avoidable — causes of downtime.

How CertControl helps

CertControl discovers all your TLS certificates — across servers, load balancers, CDNs and internal systems — and warns you well before they expire. No spreadsheets, and no learning a certificate expired at the same moment your customers do.

Frequently asked questions

Are SSL and TLS the same thing?

In practice, yes. SSL is the older protocol, TLS is its successor. "SSL certificate" and "TLS certificate" refer to the same thing today — the correct name is TLS.

Where do I get a TLS certificate?

From a Certificate Authority. Many CAs such as Let's Encrypt, ZeroSSL and Buypass issue free DV certificates via ACME automation. See our guide to choosing the right CA.

Why does my certificate expire?

Every certificate has a fixed validity period to limit the risk of a leaked key. When it expires it must be renewed — ideally automatically, so you avoid downtime.

See the platform Book a demo