The short version
A TLS certificate is what makes HTTPS work. It does two things: proves that the server you're talking to is actually who it claims to be, and enables the encrypted connection between your browser and the server.
Without a valid certificate, browsers show scary warning pages and users leave. An expired or misconfigured certificate is one of the fastest ways to lose traffic and trust.
How certificates work
When your browser connects to an HTTPS site:
- The server sends its TLS certificate.
- The browser checks: Is this certificate issued by a trusted Certificate Authority (CA)? Is it for this domain? Has it expired? Has it been revoked?
- If everything checks out, the browser and server establish an encrypted connection.
- If anything fails, the browser shows a warning.
The certificate contains your domain name, the CA's digital signature, a public key, and an expiration date. The CA's signature is what makes it trustworthy. Browsers ship with a list of trusted CAs and verify the chain of trust.
Let's Encrypt changed everything
Before 2015, TLS certificates cost money and required manual renewal. Many small sites didn't bother with HTTPS.
Let's Encrypt changed that by providing free, automated certificates. Today, there's no cost barrier to HTTPS. Most hosting platforms integrate with Let's Encrypt or provide their own certificates automatically.
Common mistakes
Letting certificates expire
TLS certificates have expiration dates, typically 90 days for Let's Encrypt or up to one year for paid certificates. When a certificate expires, browsers display a full-page warning that blocks access to your site.
Fix: Use automatic renewal. Let's Encrypt's Certbot handles this. If you're on Vercel, Netlify, or Cloudflare, renewal is automatic. If you manage your own server, set up a cron job for certbot renew.
Certificate doesn't match the domain
If your certificate is for example.com but your site is served from www.example.com, the browser shows a warning. The certificate must match the domain exactly, unless it's a wildcard certificate (*.example.com).
Fix: Make sure your certificate covers all the domains and subdomains your site uses. Use Subject Alternative Names (SANs) to include multiple domains on one certificate.
Mixed content
Your page loads over HTTPS, but some resources (images, scripts, fonts) load over HTTP. This triggers mixed content warnings. Browsers may block the insecure resources entirely.
Fix: Make sure all resources use HTTPS URLs. Use protocol-relative URLs (//cdn.example.com/file.js) or just always use https://. The MDN mixed content guide explains the two types of mixed content and their impact.
Incomplete certificate chain
Your certificate is valid, but the server doesn't send the intermediate certificates that connect it to a trusted root CA. Some browsers work around this; others show a warning.
Fix: Configure your server to send the full certificate chain. Qualys SSL Labs will flag this as "chain issues" in their test.
Self-signed certificates in production
Self-signed certificates trigger browser warnings because they're not signed by a trusted CA. They're fine for local development but never appropriate for production.
Fix: Use Let's Encrypt. It's free.
Validation levels
Not all certificates are equal. There are three validation levels:
- Domain Validation (DV): Proves you control the domain. Cheapest, fastest (Let's Encrypt provides these). Good enough for most sites.
- Organization Validation (OV): The CA verifies your organization exists. Adds some trust but browsers don't visually distinguish it from DV.
- Extended Validation (EV): The CA does a thorough background check. Used to show a green bar in browsers. Most browsers no longer display EV differently.
For most developers, DV certificates (from Let's Encrypt) are perfectly sufficient.
How to check your certificate
Run your site through Qualys SSL Labs. It checks your certificate validity, chain completeness, protocol support, and cipher suites. Aim for an A or A+ grade.
You can also check in your browser: click the padlock icon in the address bar and look at the certificate details. It shows the issuer, expiration date, and covered domains.
Check your site
Want to know if your site has this issue? Scan it now and find out in 60 seconds.
Frequently Asked Questions
- What is a TLS certificate?
- A TLS certificate is a digital file that proves your server's identity and enables encrypted HTTPS connections. It contains your domain name, the issuing Certificate Authority, an expiration date, and a public key.
- What happens when a TLS certificate expires?
- Browsers show a full-page security warning that most users won't click through. Your site effectively goes offline for anyone who doesn't manually bypass the warning.
- Do I need to buy a certificate?
- No. Let's Encrypt provides free, automated TLS certificates. Most hosting platforms (Vercel, Netlify, Cloudflare) provision certificates automatically.
Your AI writes the code. We find what it missed.
Paste your URL. Security audit in 60 seconds.
Scan my app