SSL/TLS certificates are the foundation of secure web communications. With certificate validity periods shrinking from years to weeks, mastering certificate management is essential for DevOps, security teams, and developers. This comprehensive guide connects all aspects of certificate management—from fundamentals to advanced topics like mTLS and automation.
The SSL/TLS Certificate Ecosystem
┌─────────────────────────────────────────────────────────────────────────┐
│ SSL/TLS Certificate Ecosystem │
├─────────────────────────────────────────────────────────────────────────┤
│ │
│ CERTIFICATE TYPES LIFECYCLE SECURITY │
│ ─────────────────────────────────────────────────────────────────────── │
│ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ Validation │ │ Planning & │ │ Certificate │ │
│ │ • DV (Domain) │ │ Procurement │ │ Transparency │ │
│ │ • OV (Org) │──────│ • CSR Gen │──────│ • CT Logs │ │
│ │ • EV (Extended) │ │ • CA Selection │ │ • Monitoring │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ Coverage │ │ Installation & │ │ Revocation & │ │
│ │ • Single Domain │ │ Validation │ │ Incident Resp. │ │
│ │ • Wildcard │──────│ • Server Config │──────│ • CRL/OCSP │ │
│ │ • SAN/Multi │ │ • Chain Verify │ │ • Key Rotation │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ Formats │ │ Automation & │ │ Advanced │ │
│ │ • PEM/DER │ │ Renewal │ │ • mTLS │ │
│ │ • PFX/PKCS#12 │──────│ • ACME/Certbot │──────│ • Pinning │ │
│ │ • PKCS#7 │ │ • cert-manager │ │ • OCSP Stapling │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────┘
Learning Path
This guide connects to specialized articles for deep dives into each topic. Follow the path that matches your experience level:
Beginner Path
- SSL vs TLS Difference - Understanding the protocols
- What is X.509 Certificate - Certificate structure basics
- Certificate Formats Explained - PEM, DER, PFX, P7B
- How to Check SSL Certificate Expiration - Basic verification
Intermediate Path
- Certificate Lifecycle Management - End-to-end management
- Certificate Installation & Validation - Server configuration
- Nginx/Apache SSL Configuration - Web server setup
- Troubleshooting SSL Errors - Common issues and fixes
Advanced Path
- Certificate Automation & Renewal - ACME and automation
- Let's Encrypt Automation - Certbot setup
- Certificate Revocation & Incident Response - Emergency procedures
- TLS 1.3 vs 1.2 Security - Protocol hardening
Certificate Types Decision Tree
Choosing the right certificate type is crucial for security and cost efficiency:
┌─────────────────────────────────────────────────────────────────────────┐
│ Which Certificate Do You Need? │
├─────────────────────────────────────────────────────────────────────────┤
│ │
│ Start Here: How many domains/subdomains? │
│ │
│ ┌─────────────┐ │
│ │ Single │──▶ DV Single Domain Certificate │
│ │ Domain │ Cost: Free (Let's Encrypt) - $50/year │
│ │ (www only) │ Example: www.example.com │
│ └─────────────┘ │
│ │
│ ┌─────────────┐ ┌────────────────────┐ │
│ │ Multiple │──▶ │ Same base domain? │ │
│ │ Subdomains │ └────────────────────┘ │
│ └─────────────┘ │ │ │
│ Yes No │
│ ▼ ▼ │
│ Wildcard SAN Certificate │
│ *.example example.com + │
│ .com other.com │
│ │
│ ┌─────────────┐ │
│ │ Company │──▶ OV Certificate (Organization Validation) │
│ │ Name in │ Cost: $200-$500/year │
│ │ Certificate │ Validation: 1-3 days │
│ └─────────────┘ │
│ │
│ ┌─────────────┐ │
│ │ Service-to- │──▶ mTLS (Mutual TLS) with Client Certificates │
│ │ Service │ Use: Internal CA or cert-manager │
│ │ Auth │ See: mTLS Guide (coming soon) │
│ └─────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────┘
Certificate Type Comparison
| Type | Validation | Time to Issue | Cost | Best For |
|---|---|---|---|---|
| DV (Domain) | Domain ownership | Minutes | Free - $50/yr | Most websites, blogs, apps |
| OV (Organization) | Legal entity | 1-3 days | $200-500/yr | Business sites, enterprise |
| EV (Extended) | Extensive checks | 5-7 days | $500-1500/yr | Banks, finance (diminishing value) |
| Wildcard | Domain + subdomains | Minutes - 3 days | Free - $300/yr | Many subdomains |
| SAN/UCC | Multiple domains | Minutes - 3 days | $100-400/yr | Multiple specific domains |
Certificate Lifecycle Overview
The certificate lifecycle consists of eight stages:
┌─────────────────────────────────────────────────────────────────────────┐
│ Certificate Lifecycle Stages │
├─────────────────────────────────────────────────────────────────────────┤
│ │
│ 1. PLANNING 2. PROCUREMENT 3. INSTALLATION │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Requirements │──▶│ CSR Gen │───▶│ Server │ │
│ │ CA Selection │ │ Validation │ │ Config │ │
│ │ Key Strategy │ │ Issuance │ │ Chain Setup │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ 4. VALIDATION 5. MONITORING 6. AUTOMATION │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ SSL Labs │──▶│ Expiration │───▶│ ACME/Certbot │ │
│ │ CT Logs │ │ Alerts │ │ cert-manager │ │
│ │ Protocol │ │ CT Monitor │ │ Cloud Native │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ 7. REVOCATION 8. OPTIMIZATION │
│ ┌──────────────┐ ┌──────────────┐ │
│ │ Emergency │──▶│ Multi-CA │ │
│ │ Response │ │ HSM Storage │ │
│ │ Key Rotation │ │ Inventory │ │
│ └──────────────┘ └──────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────┘
For a comprehensive deep-dive into lifecycle management, see our SSL/TLS Certificate Lifecycle Management Guide.
Essential Certificate Commands
Quick Reference
# View certificate details
openssl x509 -in cert.pem -text -noout
# Check certificate expiration
openssl x509 -in cert.pem -noout -dates
# Verify certificate chain
openssl verify -CAfile chain.pem cert.pem
# Test remote certificate
openssl s_client -connect example.com:443 -servername example.com
# Generate private key (RSA 2048)
openssl genrsa -out private.key 2048
# Generate private key (ECDSA P-256)
openssl ecparam -genkey -name prime256v1 -out private.key
# Create CSR
openssl req -new -key private.key -out request.csr
# Convert PEM to PFX
openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.pem
# Check if key matches certificate
openssl x509 -noout -modulus -in cert.pem | openssl md5
openssl rsa -noout -modulus -in private.key | openssl md5
# (hashes should match)
Use our X.509 Certificate Decoder for visual certificate analysis without command-line tools.
TLS Protocol and Cipher Suites
Modern TLS Configuration (2026)
# Nginx - Recommended TLS Configuration
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/ssl/fullchain.pem;
ssl_certificate_key /etc/ssl/private.key;
# Protocol versions (TLS 1.2 minimum, prefer 1.3)
ssl_protocols TLSv1.2 TLSv1.3;
# Modern cipher suites
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/chain.pem;
# Security headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
}
Protocol Comparison
| Feature | TLS 1.2 | TLS 1.3 |
|---|---|---|
| Handshake Round Trips | 2 | 1 (0-RTT possible) |
| Cipher Suites | Many (some weak) | 5 modern only |
| Forward Secrecy | Optional (ECDHE) | Mandatory |
| 0-RTT Resumption | No | Yes (with caveats) |
| Deprecated Algorithms | Allows RC4, 3DES | Removed entirely |
For detailed protocol comparison, see our TLS 1.3 vs 1.2 Security Guide.
Certificate Automation
With certificate validity shrinking to 47 days by 2029, automation is mandatory.
Certbot (Let's Encrypt)
# Install Certbot
sudo apt install certbot python3-certbot-nginx
# Obtain certificate with Nginx integration
sudo certbot --nginx -d example.com -d www.example.com
# Wildcard certificate (requires DNS challenge)
sudo certbot certonly --dns-cloudflare \
--dns-cloudflare-credentials ~/.secrets/cloudflare.ini \
-d *.example.com -d example.com
# Test renewal
sudo certbot renew --dry-run
# Auto-renewal is configured via systemd timer
systemctl status certbot.timer
Kubernetes cert-manager
# ClusterIssuer for Let's Encrypt
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: admin@example.com
privateKeySecretRef:
name: letsencrypt-prod-key
solvers:
- http01:
ingress:
class: nginx
---
# Certificate resource
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: example-tls
spec:
secretName: example-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- example.com
- www.example.com
renewBefore: 720h # 30 days
For complete automation guidance, see our Certificate Automation Guide.
Security Best Practices
Certificate Security Checklist
┌─────────────────────────────────────────────────────────────────────────┐
│ Certificate Security Checklist │
├─────────────────────────────────────────────────────────────────────────┤
│ │
│ KEY MANAGEMENT CONFIGURATION MONITORING │
│ ────────────────────────────────────────────────────────────────────── │
│ │
│ □ 2048-bit RSA or □ TLS 1.2+ only □ Expiration alerts │
│ 256-bit ECDSA (30/14/7/1 days) │
│ │
│ □ Private keys □ Strong cipher □ CT log monitoring │
│ chmod 600 suites only │
│ │
│ □ Never commit □ HSTS enabled □ Certificate chain │
│ keys to Git (with preload) completeness │
│ │
│ □ HSM for high □ OCSP stapling □ SSL Labs grade │
│ security enabled A or A+ │
│ │
│ □ Key rotation □ Complete cert □ Unauthorized cert │
│ schedule chain served detection │
│ │
│ □ Backup keys □ CAA DNS records □ Renewal success │
│ encrypted configured verification │
│ │
└─────────────────────────────────────────────────────────────────────────┘
HSTS (HTTP Strict Transport Security)
Always enable HSTS to prevent SSL stripping attacks:
# Nginx
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
# Apache
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Common Issues & Troubleshooting
Certificate Chain Problems
The most common issue is incomplete certificate chains:
# Check for chain issues
openssl s_client -connect example.com:443 -servername example.com 2>&1 | grep -i verify
# Should show: Verify return code: 0 (ok)
# If you see "unable to get local issuer certificate":
# You're missing intermediate certificates
# Fix: Include full chain
cat cert.pem intermediate.pem > fullchain.pem
Quick Troubleshooting Guide
| Error | Cause | Fix |
|---|---|---|
NET::ERR_CERT_DATE_INVALID | Expired certificate | Renew certificate |
NET::ERR_CERT_COMMON_NAME_INVALID | Wrong domain in cert | Check SANs include your domain |
NET::ERR_CERT_AUTHORITY_INVALID | Missing intermediate | Add intermediate certs to chain |
SSL_ERROR_RX_RECORD_TOO_LONG | SSL on non-SSL port | Check port 443 has SSL configured |
unable to get local issuer certificate | Incomplete chain | Include full certificate chain |
For detailed troubleshooting, see our Troubleshooting SSL Certificate Errors Guide.
Certificate Transparency
Certificate Transparency (CT) logs provide public accountability for certificate issuance:
┌─────────────────────────────────────────────────────────────────────────┐
│ Certificate Transparency Flow │
├─────────────────────────────────────────────────────────────────────────┤
│ │
│ 1. CA issues cert 2. CA logs to CT 3. Browser verifies │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Certificate │─────▶│ CT Log │─────▶│ SCT Check │ │
│ │ Authority │ │ (Public) │ │ (Embedded or │ │
│ │ │ │ │ │ Stapled) │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │ │
│ ▼ │
│ Monitor for │
│ unauthorized │
│ certificates │
│ │
└─────────────────────────────────────────────────────────────────────────┘
Use our Certificate Transparency Lookup tool to:
- Discover all certificates issued for your domains
- Detect unauthorized certificate issuance
- Monitor for suspicious activity
- Export certificate inventory
Guide Directory
Fundamentals
- SSL vs TLS Difference - Protocol basics
- What is X.509 Certificate - Certificate structure
- Certificate Formats (PEM, DER, PFX, P7B) - Format conversion
- RSA vs ECDSA Certificates - Algorithm comparison
Lifecycle Management
- Certificate Lifecycle Management - Complete overview
- Planning & Procurement - Getting started
- Installation & Validation - Server setup
- Automation & Renewal - ACME automation
- Revocation & Incident Response - Emergency procedures
Practical Guides
- Nginx & Apache SSL Configuration - Web server setup
- Let's Encrypt Complete Guide - Certbot, ACME, DNS challenges
- Check Certificate Expiration - Monitoring basics
- CSR Generation - Creating requests
- Format Conversion - PEM to PFX and more
Troubleshooting
- Troubleshooting SSL Errors - Common issues
- Certificate Chain Issues - Chain problems
- Check if Certificate is Revoked - Revocation status
- Test SSL/TLS Configuration - Security testing
Advanced Topics
- TLS 1.3 vs 1.2 Security - Protocol hardening
- Wildcard vs SAN Certificates - Certificate type selection
- Certificate Transparency - CT logs
- Validity Period Changes - Industry trends
Specialized Use Cases
- Local Development Certificates - Dev environment
- Internal PKI Setup - Build your own CA
- HSM Certificate Storage - Hardware key protection
- Code Signing Certificates - Software signing
Tools
- X.509 Certificate Decoder - Analyze certificate details
- Certificate CSR Generator - Generate CSRs
- Certificate Transparency Lookup - Discover certificates
- SSL Certificate Checker - Test remote certificates
Conclusion
SSL/TLS certificate management is evolving rapidly. With validity periods shrinking from years to weeks, automation is no longer optional—it's essential. This guide connects 30+ specialized articles covering every aspect of certificate management, from basics to advanced topics like mTLS and OCSP stapling.
Key takeaways:
- Use DV certificates for most use cases (OV/EV provide diminishing value)
- Automate renewal with Certbot, cert-manager, or cloud-native solutions
- Enable OCSP stapling and HSTS for improved security and performance
- Monitor CT logs to detect unauthorized certificate issuance
- Prepare for 47-day validity by 2029—manual management won't scale
Start with the fundamentals, progress to lifecycle management, and master automation. Each linked guide provides deep expertise in its topic. Bookmark this hub and explore the specialized guides as you encounter new challenges.
For more security guides, explore our complete Security articles.