SSL/TLS Certificates

SSL/TLS certificates are X.509 digital documents that bind a public key to an identity — typically a domain name or organization. When a client connects to a server, the certificate is presented during the TLS handshake to prove the server is who it claims to be and to establish the parameters for an encrypted session. Certificates are signed by a trusted Certificate Authority (CA), creating a chain of trust the client can verify.

A misconfigured or expired certificate is both a security risk and an operational failure. Weak cipher suites, expired validity dates, self-signed certificates on public-facing services, or certificates issued to unexpected domains can indicate misconfiguration, shadow IT, or active interception. Certificate Transparency logs also make certificate issuance publicly auditable, which threat intelligence teams use to detect phishing infrastructure mimicking legitimate domains.

A Certificate Authority validates the requester's control over the domain (Domain Validation) or their organizational identity (OV/EV), then signs the certificate. The signed certificate is installed on the server and presented during TLS handshakes. Clients verify the signature against the CA's root certificate embedded in their trust store. TLS configuration quality — supported protocol versions, cipher suites, key lengths, HSTS enforcement — determines the effective security of the connection.