Post

I Have No Idea How Ssl Certificates Work

Posted
By Usman Masood Ashraf
views 8 min read

I Have No Idea How SSL Certificates Work

Introduction

You’re not alone if the phrase “SSL certificate renewal” triggers mild panic. Despite being fundamental to modern security infrastructure, SSL/TLS certificates remain one of the most misunderstood components in DevOps and sysadmin workflows. A recent Reddit thread captured this frustration perfectly: “I’ve worked in IT for years but still fumble through certificate renewals with help from colleagues or online forums.”

This knowledge gap matters more than ever. With 95% of web traffic now encrypted (according to Google’s transparency report), SSL/TLS isn’t just for e-commerce anymore. Misconfigured certificates can:

  1. Expose critical systems to man-in-the-middle attacks
  2. Trigger costly service outages during expiration events
  3. Create compliance violations in regulated industries
  4. Degrade application performance through improper cipher choices

This guide bridges the gap between certificate frustration and mastery. You’ll learn not just how to renew certificates, but understand:

  • The cryptographic handshake process
  • Certificate Authority (CA) trust chains
  • Key differences between TLS versions
  • Automation strategies for certificate lifecycle management
  • Security hardening best practices

Whether you’re managing homelab setups or enterprise infrastructure, these concepts form the foundation of modern security hardening, access control, and threat prevention.

Understanding SSL/TLS Certificates

What SSL Certificates Actually Do

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) serve three primary security functions:

  1. Authentication: Verifies server identity via X.509 certificates
  2. Encryption: Creates secure channels using symmetric cryptography
  3. Integrity: Prevents tampering through message authentication codes (MACs)

Contrary to popular belief, SSL certificates don’t “encrypt” data directly. They facilitate secure key exchange that enables encryption.

The TLS Handshake Demystified

Here’s what happens during a TLS 1.3 handshake:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

Client                                                  Server

ClientHello
(Random, Cipher Suites, SNI)
                  -------->
                                     ServerHello
                                   (Random, Cipher Suite)
                              {EncryptedExtensions}
                                     {Certificate}
                               {CertificateVerify}
                         <--------       {Finished}

{Certificate*}
{CertificateVerify*}
{Finished}                -------->
[Application Data]        <------->      [Application Data]

*Certificate messages are optional for client authentication

Key phases:

  1. Negotiation: Client and server agree on protocol version and cipher suite
  2. Authentication: Server presents certificate signed by trusted CA
  3. Key Exchange: Ephemeral keys generated using ECDHE or DH
  4. Encryption: Symmetric session keys derived for bulk encryption

Certificate Components Explained

A typical X.509 certificate contains:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 04:d1:48:93:fc:... 
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=R3
        Validity
            Not Before: Jan  1 00:00:00 2024 GMT
            Not After : Apr  1 00:00:00 2024 GMT
        Subject: CN=example.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                ASN1 OID: prime256v1
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Subject Alternative Name: 
                DNS:example.com, DNS:www.example.com
    Signature Algorithm: sha256WithRSAEncryption

Critical elements:

  • Subject: Entity being certified (usually domain name)
  • Issuer: Certificate Authority (CA) that signed the certificate
  • Public Key: Used for asymmetric encryption operations
  • Extensions: Additional constraints (SANs, usage restrictions)

Trust Chains and Certificate Authorities

The browser trust model relies on a hierarchical chain:

1
2
3
4
5

Root Certificate (self-signed)
  ↓
Intermediate Certificate (signed by root)
  ↓
End-Entity Certificate (signed by intermediate)

Major root programs include:

  • Commercial CAs: DigiCert, Sectigo, GlobalSign
  • Non-profit CAs: Let’s Encrypt, SSL.com
  • Private PKI: Self-signed/internal CAs

As of 2024, all public TLS certificates have maximum validity of:

  • 398 days for DV/OV certificates
  • 90 days for Let’s Encrypt certificates

TLS Version Comparison

VersionRelease YearStatusKey Improvements
SSL 2.01995DeprecatedInitial release (insecure)
SSL 3.01996DeprecatedPOODLE vulnerability
TLS 1.01999DeprecatedStandardized version
TLS 1.12006DeprecatedCBC attacks protection
TLS 1.22008Active (legacy)AEAD ciphers, SHA-256 support
TLS 1.32018Recommended0-RTT, removed insecure features

Prerequisites

System Requirements

Before working with certificates:

  1. Domain Control: Ability to create DNS records
  2. Server Access: Root/sudo privileges on target systems
  3. Firewall Rules: Open port 443 (HTTPS) and 80 (HTTP-01 challenge)
  4. Time Sync: Working NTP client (cert validity depends on accurate time)
  5. Package Management: OpenSSL 1.1.1+ or equivalent

Required Software

1
2
3
4
5
6
7
8
9

# Ubuntu/Debian
sudo apt install openssl certbot nginx-core

# RHEL/CentOS
sudo dnf install openssl certbot nginx

# Verify OpenSSL version
openssl version
# OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)

Security Considerations

  1. Private Key Protection:
    • Generate keys on secure systems
    • Use 400 permissions (chmod 400 private.key)
    • Never commit keys to version control
  2. Certificate Transparency:
    • Monitor logs via https://crt.sh
    • Configure Expect-CT headers
  3. Revocation:
    • Maintain OCSP responder access
    • Monitor CRL expiration dates

Installation & Setup

Generating a CSR (Certificate Signing Request)

1
2
3
4
5
6
7

# Generate private key (EC-P256 recommended)
openssl ecparam -genkey -name prime256v1 -out private.key

# Generate CSR
openssl req -new -key private.key -out request.csr \
  -subj "/CN=example.com" \
  -addext "subjectAltName = DNS:example.com,DNS:www.example.com"

CSR best practices:

  • Use SANs (Subject Alternative Names) for multi-domain certificates
  • Key size recommendations:
    • RSA: 2048-bit (minimum), 3072-bit (recommended)
    • ECDSA: P-256 (prime256v1)

Certificate Issuance Options

Let’s Encrypt (ACME Protocol)

1
2
3
4
5
6
7
8

# Install Certbot
sudo apt install certbot python3-certbot-nginx

# Obtain certificate (Nginx plugin)
sudo certbot --nginx -d example.com -d www.example.com

# Dry run renewal test
sudo certbot renew --dry-run

Commercial CA Process

  1. Generate CSR
  2. Submit to CA portal
  3. Complete domain validation:
    • DNS-01: Create TXT record
    • HTTP-01: Host challenge file
    • Email: Click validation link
  4. Download certificate chain

Server Configuration

Nginx TLS Configuration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

server {
    listen 443 ssl http2;
    server_name example.com;
    
    ssl_certificate /etc/ssl/certs/example.com/fullchain.pem;
    ssl_certificate_key /etc/ssl/private/private.key;
    
    # TLS 1.3 only
    ssl_protocols TLSv1.3;
    
    # Preferred ciphers for TLS 1.2
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    
    # HSTS (1 year)
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    
    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
}

Apache Configuration

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

<VirtualHost *:443>
    SSLEngine on
    SSLCertificateFile "/etc/pki/tls/certs/fullchain.pem"
    SSLCertificateKeyFile "/etc/pki/tls/private/private.key"
    
    # Intermediate configuration
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
    SSLHonorCipherOrder     on
    SSLCompression          off
    
    # Enable OCSP stapling
    SSLUseStapling          on
    SSLStaplingCache        "shmcb:logs/stapling_cache(128000)"
</VirtualHost>

Verification Steps

1
2
3
4
5
6
7
8
9
10

# Check certificate chain
openssl s_client -connect example.com:443 -servername example.com -showcerts

# Verify private key match
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in private.key | openssl md5
# Both should output identical hashes

# Test TLS handshake
openssl s_client -connect example.com:443 -tls1_3

Configuration & Optimization

Security Hardening

Mozilla SSL Configuration Generator Recommendations (Intermediate Profile):

1
2
3
4
5
6
7
8
9
10

ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;  # ~40,000 sessions
ssl_session_tickets off;

# Modern configuration (TLS 1.3 only)
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;

# HSTS (preload included in submitted headers)
add_header Strict-Transport-Security "max-age=63072000" always;

Critical Security Headers:

1
2
3
4
5
6
7
8

# X-Frame-Options to prevent clickjacking
add_header X-Frame-Options "SAMEORIGIN" always;

# Content Security Policy
add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'none';" always;

# X-Content-Type-Options
add_header X-Content-Type-Options "nosniff" always;

Performance Optimization

  1. OCSP Stapling:
    • Reduces handshake latency by embedding revocation status
    • Configure with ssl_stapling on; in Nginx
  2. Session Resumption:
    • TLS 1.3 supports 0-RTT data (use cautiously)
    • Session tickets vs. session IDs:
      1
2

      ssl_session_tickets on; # Faster, less secure
ssl_session_tickets off; # More secure, uses cache
  3. TLS False Start:
    • Enabled by default in modern browsers
    • Requires Forward Secrecy cipher suites
  4. HTTP/2 Optimization:
    1
2
3

    listen 443 ssl http2;
http2_max_concurrent_streams 128;
gzip on;

Certificate Lifecycle Automation

Certbot Renewal Setup:

1
2
3
4
5
6
7
8

# Create renewal config
sudo certbot renew --post-hook "systemctl reload nginx" \
  --pre-hook "service nginx stop" \
  --deploy-hook "echo 'Certificate updated!' | mail -s 'Cert Renewal' admin@example.com"
  
# Systemd timer (auto-renewal)
systemctl list-timers | grep certbot
# certbot.timer - loaded active waiting Certbot renewal timer

Monitoring Certificate Expiry:

1
2
3
4
5
6
7

# Command-line check
openssl x509 -enddate -noout -in certificate.pem
# notAfter=Apr  1 00:00:00 2024 GMT

# Nagios plugin example
./check_http -S -H example.com -C 30,14
# SSL OK - Certificate 'example.com' expires in 89 days

Usage & Operations

Common Certificate Operations

Convert Between Formats:

1
2
3
4
5
6

# PEM to PFX (for Windows systems)
openssl pkcs12 -export -out certificate.pfx \
  -inkey private.key -in certificate.crt -certfile chain.crt

# DER to PEM conversion
openssl x509 -inform der -in certificate.der -out certificate.pem

Check Certificate Details:

1
2

openssl x509 -text -noout -in certificate.crt
# Shows all extensions, issuer, validity periods

Renewal Workflow

  1. Pre-renewal (30 days before expiration):
    • Check automation systems
    • Validate backup procedures
    • Test revocation processes
  2. Renewal Execution:
    1
2
3
4
5
6

    # Manual ACME renewal
certbot certonly --manual --preferred-challenges dns \
  -d example.com --server https://acme-v02.api.letsencrypt.org/directory
   
# Automated renewal
certbot renew --force-renewal
  3. Post-renewal:
    • Verify certificate chain
    • Test HTTPS connectivity
    • Check OCSP stapling status
    • Update monitoring systems

Certificate Revocation

Let’s Encrypt Revocation:

1
2

certbot revoke --cert-path /etc/letsencrypt/live/example.com/cert.pem \
  --reason keycompromise

Commercial CA Process:

  1. Log in to CA portal
  2. Locate certificate
  3. Submit revocation request
  4. Select reason code:
    • Key compromise (0)
    • CA compromise (1)
    • Affiliation changed (3)
    • Superseded (4)
    • Cessation of operation (5)

Troubleshooting

Common Issues and Solutions

SymptomLikely CauseDiagnostic CommandFix
“SSL_ERROR_BAD_CERT_DOMAIN”Missing SANopenssl x509 -text -in cert.pemReissue cert with correct SAN entries
“ERR_CERT_DATE_INVALID”System clock driftdate; openssl x509 -enddate -nooutSync NTP service
“CERTIFICATE_VERIFY_FAILED”Broken trust chainopenssl s_client -showcerts -connectInstall intermediate certificates
“SSL handshake failed”Protocol mismatchnmap --script ssl-enum-ciphersAdjust ssl_protocols configuration
OCSP stapling errorsMissing responder URLopenssl s_client -statusConfigure OCSP in web server

Debugging Handshake Failures

1
2
3
4
5

# Test TLS 1.2 connection
openssl s_client -connect example.com:443 -tls1_2

# Test specific cipher
openssl s_client -cipher 'ECDHE-RSA-AES128-GCM-SHA256' -connect
Open Source, Reddit Guides, Monitoring
homelab sysadmin how-to tools monitoring observability security hardening
This post is licensed under CC BY 4.0 by the author.