SSL/TLS Certificates: What Developers Need to Check
A practical Fusebox guide to ssl/tls certificates.
SSL/TLS Certificates: What Developers Need to Check
Published: January 2024
Reading time: 7 minutes
That padlock icon means more than "secure." SSL/TLS certificates reveal domain ownership, security configuration, and potential vulnerabilities. Here's what to look for.
What SSL Certificates Tell You
Every HTTPS site has a certificate containing:
- Domain ownership: Who controls it
- Validity period: When it expires
- Certificate authority: Who vouched for it
- Encryption strength: How secure it is
- Certificate chain: Trust hierarchy
- Alternative names: Other domains covered
This info helps debug issues and verify security.
Reading Certificate Information
Basic Certificate Data
Common Name: www.example.com
Organization: Example Corp
Location: San Francisco, CA, US
Valid From: Jan 1, 2024
Valid To: Jan 1, 2025
Issuer: Let's Encrypt
What Each Field Means
Common Name (CN):
- Primary domain covered
- Must match the URL
- Wildcards: *.example.com
Subject Alternative Names (SAN):
DNS: example.com
DNS: www.example.com
DNS: api.example.com
DNS: *.app.example.com
All domains this cert covers.
Issuer Information:
- Let's Encrypt: Free, automated
- DigiCert/Sectigo: Paid, commercial
- Self-signed: Red flag!
Common Certificate Issues
1. Certificate Expired
Valid Until: Dec 31, 2023 (EXPIRED)
Browser shows: "Your connection is not private"
Impact: Site appears broken Fix: Renew certificate immediately
2. Name Mismatch
Certificate: www.example.com
Visiting: example.com (no www)
Error: NET::ERR_CERT_COMMON_NAME_INVALID Fix: Add domain to SAN or redirect
3. Self-Signed Certificate
Issuer: example.com
Subject: example.com
(Same entity)
When OK: Development, internal tools When bad: Production websites
4. Weak Encryption
Signature Algorithm: SHA-1 (WEAK)
Key Size: 1024 bits (TOO SMALL)
Modern standards:
- SHA-256 or better
- 2048-bit RSA minimum
- Or ECDSA P-256
Certificate Chain of Trust
How Trust Works
1. Root CA (in browser/OS)
↓
2. Intermediate CA
↓
3. Your Certificate
Checking the Chain
# View certificate chain
openssl s_client -connect example.com:443 -showcerts
# What you see:
Certificate chain
0 s:/CN=example.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
Chain Problems
Incomplete chain:
Server certificate: ✓
Intermediate: ✗ Missing
Root: (Can't verify)
Fix: Install intermediate certificates
Real Developer Scenarios
Scenario 1: Debugging Mixed Content
Certificate shows:
Valid SSL certificate ✓
But console errors: "Mixed Content Blocked"
Investigation:
- HTTPS certificate is fine
- Page loads HTTP resources
- Browser blocks insecure content
Fix: Update all resources to HTTPS
Scenario 2: API Certificate Errors
Error in code:
fetch('https://api.partner.com')
// Error: unable to verify the first certificate
Certificate inspection shows:
- Missing intermediate certificate
- Works in browser (has cert cache)
- Fails in Node.js
Fix:
// Temporary (dev only):
process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0;
// Proper fix: Get partner to fix cert chain
Scenario 3: Wildcard Limitations
Certificate:
CN: *.example.com
Works for:
- www.example.com ✓
- api.example.com ✓
- staging.example.com ✓
Doesn't work for:
- example.com ✗ (no subdomain)
- api.v2.example.com ✗ (nested subdomain)
Certificate Types and Use Cases
1. Domain Validated (DV)
- Validation: Own the domain
- Cost: Free - $10/year
- Example: Let's Encrypt
- Use for: Most websites
2. Organization Validated (OV)
- Validation: Business verification
- Cost: $50-200/year
- Shows: Company name
- Use for: Business sites
3. Extended Validation (EV)
- Validation: Extensive checks
- Cost: $200-1000/year
- Shows: Green bar (formerly)
- Use for: Banks, e-commerce
4. Wildcard Certificates
- Covers: *.domain.com
- Cost: 2-3x single domain
- Use for: Multiple subdomains
- Limitation: One level only
Security Headers and Certificates
HSTS (HTTP Strict Transport Security)
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Effect: Forces HTTPS even if user types HTTP
Certificate Pinning
Public-Key-Pins: pin-sha256="base64..."; max-age=5184000
Warning: Deprecated, risky if misconfigured
Certificate Transparency
Expect-CT: max-age=86400, enforce
Purpose: Detect misissued certificates
Monitoring Certificate Health
1. Expiration Monitoring
# Check expiration
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates
# Output:
notBefore=Jan 1 00:00:00 2024 GMT
notAfter=Mar 31 23:59:59 2024 GMT
2. Automated Checks
// Node.js certificate check
const https = require('https');
https.get('https://example.com', (res) => {
const cert = res.connection.getPeerCertificate();
const expiry = new Date(cert.valid_to);
const daysLeft = Math.floor((expiry - Date.now()) / (1000 * 60 * 60 * 24));
if (daysLeft < 30) {
console.warn(`Certificate expires in ${daysLeft} days!`);
}
});
3. Warning Signs
- Expires in < 30 days
- Self-signed in production
- SHA-1 signature
- 1024-bit keys
- Missing SAN entries
Quick Certificate Debugging
Browser Check
- Click padlock icon
- "Connection is secure"
- "Certificate is valid"
- View certificate details
Command Line
# Quick SSL test
curl -vI https://example.com 2>&1 | grep -i ssl
# Full certificate info
openssl s_client -connect example.com:443 -servername example.com < /dev/null
# Certificate dates
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates
Online Tools
- SSL Labs (comprehensive test)
- Why No Padlock (mixed content)
- Certificate monitors
Best Practices
1. Automate Renewal
# Let's Encrypt auto-renewal
certbot renew --dry-run
# Cron job
0 0 * * * certbot renew --quiet
2. Monitor Everything
- Expiration dates
- Certificate changes
- Chain completeness
- Security warnings
3. Plan for Renewal
- Set calendar reminders
- Test renewal process
- Have backup contacts
- Document procedures
Certificate Checklist
When analyzing any HTTPS site:
- Valid dates (not expired)
- Correct domain match
- Trusted issuer
- Complete chain
- Strong encryption
- No mixed content warnings
- Proper redirects (HTTP → HTTPS)
The Bottom Line
SSL certificates are your first line of defense. They ensure:
- Privacy: Encrypted connections
- Authenticity: Verified ownership
- Trust: User confidence
- SEO: Google ranking boost
Check certificates regularly. A broken cert means a broken site.
Check SSL certificates instantly: Fusebox shows certificate details, expiration warnings, and security issues while browsing. Stay secure. $29 one-time purchase.