Complete SSL/TLS Guide 2024: Certificates, Protocols & HTTPS Security

Key Takeaways

TLS 1.3 is the current standard; TLS 1.2 is minimum acceptable.
SSL certificates verify website identity and enable encryption.
Let's Encrypt provides free, automated certificates.

HSTS prevents protocol downgrade attacks.
Certificate Transparency logs track all issued certificates.
CAA records specify authorized certificate authorities.

1. Introduction to SSL/TLS
2. The TLS Handshake
3. SSL Certificates
4. Setting Up HTTPS

5. Security Best Practices
6. Troubleshooting
7. Advanced Topics
8. Frequently Asked Questions

1. Introduction to SSL/TLS

Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL) are cryptographic protocols designed to provide secure communications over a computer network. When you see HTTPS in your browser's address bar, you're using TLS to encrypt the connection between your browser and the web server.

TLS provides three key security properties: encryption (data confidentiality), authentication (verifying server identity), and integrity (ensuring data hasn't been modified). These properties protect against eavesdropping, impersonation, and tampering.

SSL vs TLS

Despite common usage, "SSL" is technically deprecated. SSL 3.0 (1996) had critical vulnerabilities. Modern connections use TLS 1.2 (2008) or TLS 1.3 (2018). When people say "SSL certificate," they mean a certificate used with TLS.

1.1 TLS Version History

Version	Year	Status	Notes
SSL 2.0	1995	❌ Insecure	Never use
SSL 3.0	1996	❌ Insecure	POODLE vulnerability
TLS 1.0	1999	❌ Deprecated	No longer compliant
TLS 1.1	2006	❌ Deprecated	No longer compliant
TLS 1.2	2008	✅ Supported	Widely used
TLS 1.3	2018	✅ Recommended	Fastest, most secure

2. The TLS Handshake

Before encrypted communication begins, client and server perform a handshake to establish a secure connection:

2.1 TLS 1.2 Handshake (Simplified)

Client Hello: Client sends supported TLS versions, cipher suites, and random data
Server Hello: Server selects TLS version and cipher suite, sends certificate
Key Exchange: Client verifies certificate, generates pre-master secret, encrypts with server's public key
Session Keys: Both sides derive session keys from the pre-master secret
Finished: Both sides confirm successful handshake

2.2 TLS 1.3 Improvements

TLS 1.3 reduces the handshake to 1 round-trip (1-RTT) instead of 2, significantly improving performance. It also supports 0-RTT resumption for returning connections, though with some security trade-offs.

# View TLS handshake details with OpenSSL
openssl s_client -connect example.com:443 -tls1_3

# Output shows TLS version, cipher suite, certificate chain

3. SSL Certificates

3.1 Certificate Types

Type	Validation	Trust Level	Use Case
DV	Domain control only	Basic	Personal sites, blogs
OV	Organization verified	Medium	Business websites
EV	Extended verification	Highest	Banking, e-commerce
Wildcard	*.domain.com	Varies	Multiple subdomains
SAN/UCC	Multiple domains	Varies	Multiple sites

3.2 Certificate Components

Subject: Domain name and organization details
Issuer: Certificate Authority that signed the certificate
Validity: Not Before and Not After dates
Public Key: Server's public key for encryption
Signature: CA's cryptographic signature validating the certificate

4. Setting Up HTTPS

4.1 Let's Encrypt with Certbot

# Install Certbot
sudo apt install certbot python3-certbot-nginx

# Obtain certificate (Nginx)
sudo certbot --nginx -d example.com -d www.example.com

# Obtain certificate (standalone)
sudo certbot certonly --standalone -d example.com

# Auto-renewal test
sudo certbot renew --dry-run

# Renewal cron job (usually added automatically)
0 0 * * * /usr/bin/certbot renew --quiet

4.2 Nginx HTTPS Configuration

server {
    listen 443 ssl http2;
    server_name example.com;
    
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    
    # Modern TLS configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers off;
    
    # HSTS
    add_header Strict-Transport-Security "max-age=63072000" always;
    
    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
}

# Redirect HTTP to HTTPS
server {
    listen 80;
    server_name example.com;
    return 301 https://$server_name$request_uri;
}

5. Security Best Practices

5.1 HSTS (HTTP Strict Transport Security)

HSTS tells browsers to always use HTTPS, preventing protocol downgrade attacks:

# Nginx header
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

5.2 CAA Records

CAA DNS records specify which Certificate Authorities can issue certificates for your domain:

# DNS CAA records
example.com.  IN  CAA  0 issue "letsencrypt.org"
example.com.  IN  CAA  0 issuewild "letsencrypt.org"
example.com.  IN  CAA  0 iodef "mailto:[email protected]"

5.3 Certificate Transparency

CT logs publicly record all issued certificates. Monitor your domains for unauthorized certificate issuance using services like crt.sh.

SSL Test Score A+

Use SSL Labs (ssllabs.com/ssltest) to verify your configuration. For an A+ rating: enable HSTS, use only TLS 1.2+, configure strong cipher suites, and enable OCSP stapling.

6. Troubleshooting

# Check certificate details
openssl s_client -connect example.com:443

# Check certificate expiration
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

# View certificate chain
openssl s_client -showcerts -connect example.com:443

# Test specific TLS version
openssl s_client -connect example.com:443 -tls1_2
openssl s_client -connect example.com:443 -tls1_3

6.1 Common Issues

Error	Cause	Solution
Certificate expired	Cert not renewed	Renew certificate, fix auto-renewal
Name mismatch	Wrong domain on cert	Reissue with correct SANs
Untrusted issuer	Self-signed or unknown CA	Use trusted CA certificate
Chain incomplete	Missing intermediate	Include full certificate chain

7. Advanced Topics

7.1 Certificate Pinning

Pins a specific certificate or public key, but requires careful management to avoid breaking your site.

7.2 mTLS (Mutual TLS)

Both client and server present certificates, common for API authentication and Zero Trust architectures.

7.3 TLS Fingerprinting

JA3/JA3S fingerprinting identifies clients and servers by their TLS characteristics, used for security and detection.

8. Frequently Asked Questions

Do I need to pay for an SSL certificate?

No. Let's Encrypt provides free, trusted certificates suitable for most websites. Paid certificates (OV, EV) provide additional identity verification but don't provide stronger encryption.

Does HTTPS slow down my website?

TLS adds minimal overhead, especially with TLS 1.3. In fact, HTTPS enables HTTP/2 and HTTP/3 which can make sites faster. Any modern server handles TLS with negligible performance impact.

Conclusion

SSL/TLS is essential for web security. With free certificates from Let's Encrypt and modern TLS 1.3, there's no reason not to use HTTPS everywhere. Configure it properly with HSTS, strong ciphers, and regular certificate renewal for maximum security.

Continue Learning:
HTTPS Explained TLS Handshake