SSL/TLS Explained for Beginners: HTTPS, Certificates, and Encryption

Quick Answer: SSL/TLS encrypts traffic between a browser and a server. HTTPS = HTTP + TLS encryption. Get a free certificate: apt install certbot && certbot --nginx -d yourdomain.com. The padlock in your browser means the connection is encrypted.

What is SSL/TLS?

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are encryption protocols that protect data in transit. TLS is the modern replacement for SSL, but people still say "SSL" to mean both.

Without TLS:

Browser → [plain text: password123] → Server
Anyone on the network can read it

With TLS:

Browser → [encrypted: a8f3k2...] → Server
Only the server can decrypt it

What is HTTPS?

HTTPS is just HTTP wrapped in TLS encryption:

How TLS Works (Simplified)

1. Browser connects to https://example.com
2. Server sends its certificate (proves identity)
3. Browser verifies the certificate is valid and trusted
4. They agree on an encryption key (TLS handshake)
5. All data is encrypted from this point on

The whole handshake takes ~50-100 milliseconds.

What is a Certificate?

A certificate is a digital document that proves a server's identity. It contains:

• Domain name — which domain it's valid for
• Public key — used for encryption
• Issuer — who verified the domain (Certificate Authority)
• Expiry date — certificates expire (usually 90 days for Let's Encrypt)
• Signature — cryptographic proof it wasn't tampered with

Certificate Types

For 99% of websites, DV (Let's Encrypt) is all you need. It provides the same encryption as a $500 EV certificate.

Get a Free Certificate (Let's Encrypt)

With Nginx

# Install Certbot
sudo apt install certbot python3-certbot-nginx -y

# Get certificate (auto-configures Nginx)
sudo certbot --nginx -d example.com -d www.example.com

# Auto-renewal is set up automatically. Test it:
sudo certbot renew --dry-run

With Apache

sudo apt install certbot python3-certbot-apache -y
sudo certbot --apache -d example.com

Standalone (No Web Server)

sudo certbot certonly --standalone -d example.com
# Temporarily uses port 80 — stop your web server first

Certificate Files

After Certbot runs, your files are at:

/etc/letsencrypt/live/example.com/fullchain.pem   # Certificate + chain
/etc/letsencrypt/live/example.com/privkey.pem     # Private key

Auto-Renewal

Certbot sets up a cron job or systemd timer automatically. Certificates renew 30 days before expiry. Verify:

sudo certbot renew --dry-run
systemctl list-timers | grep certbot

Check a Certificate

Browser

Click the padlock icon in the address bar, then "Certificate" or "Connection is secure" to view details.

Command Line

# Check a website's certificate
openssl s_client -connect example.com:443 -servername example.com < /dev/null 2>/dev/null | openssl x509 -noout -dates -subject -issuer

# Check expiry only
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -enddate

Online Tool

Use our SSL Certificate Checker to check any domain's certificate, chain, and security grade.

Common SSL Errors

TLS Versions

Set minimum version in Nginx:

ssl_protocols TLSv1.2 TLSv1.3;

Related Tools

• SSL Certificate Checker — check any site's certificate
• HTTPS Redirect Tester — verify HTTP to HTTPS redirects

See Also

• SSL Certificates Explained (Technical)
• Fix 'Connection Not Private'
• Fix ERR_SSL_PROTOCOL_ERROR
• Nginx Cheat Sheet
• Cloudflare Setup Guide