Last updated
What Is an SSL/TLS Certificate?
An SSL/TLS certificate is a digital document that binds a public key to an identity (domain name, organization).
It's issued by a Certificate Authority (CA) and used to establish encrypted HTTPS connections.
Certificates follow the X.509 standard
and are typically encoded in PEM format (Base64 between -----BEGIN CERTIFICATE----- markers)
or DER format (raw binary).
Certificate Fields Explained
| Field | Description |
|---|---|
| Subject | The entity the certificate is issued to (CN = Common Name = domain) |
| Issuer | The Certificate Authority that signed the certificate |
| Valid From / To | The certificate's validity period |
| Serial Number | Unique identifier assigned by the CA |
| Public Key | The public key used for key exchange (RSA, ECDSA) |
| Signature Algorithm | How the CA signed the cert (e.g., SHA256withRSA) |
| SANs | Subject Alternative Names — additional domains/IPs covered |
| Key Usage | What the key can be used for (digital signature, key encipherment) |
Inspecting a Certificate with OpenSSL
# Parse a PEM certificate file
openssl x509 -in certificate.pem -text -noout
# Check a live server's certificate
openssl s_client -connect example.com:443 -showcerts
# Check expiry date only
openssl x509 -in cert.pem -noout -dates
# Check which domains are covered (SANs)
openssl x509 -in cert.pem -noout -ext subjectAltName
# Verify certificate chain
openssl verify -CAfile ca-bundle.crt certificate.pemCertificate Chain of Trust
Browsers trust certificates through a chain: your server certificate is signed by an Intermediate CA, which is signed by a Root CA. Root CAs are pre-installed in your OS and browser. If any link in the chain is missing or expired, browsers show a security warning. Always include the full chain (server cert + intermediates) in your server configuration.