Back to blog
SecurityJanuary 1, 2024· 4 min read

SSL/TLS Certificates: What Developers Need to Check

A practical Fusebox guide to ssl/tls certificates.

SSL/TLS Certificates: What Developers Need to Check

Published: January 2024
Reading time: 7 minutes

That padlock icon means more than "secure." SSL/TLS certificates reveal domain ownership, security configuration, and potential vulnerabilities. Here's what to look for.

What SSL Certificates Tell You

Every HTTPS site has a certificate containing:

  • Domain ownership: Who controls it
  • Validity period: When it expires
  • Certificate authority: Who vouched for it
  • Encryption strength: How secure it is
  • Certificate chain: Trust hierarchy
  • Alternative names: Other domains covered

This info helps debug issues and verify security.

Reading Certificate Information

Basic Certificate Data

Common Name: www.example.com
Organization: Example Corp
Location: San Francisco, CA, US
Valid From: Jan 1, 2024
Valid To: Jan 1, 2025
Issuer: Let's Encrypt

What Each Field Means

Common Name (CN):

  • Primary domain covered
  • Must match the URL
  • Wildcards: *.example.com

Subject Alternative Names (SAN):

DNS: example.com
DNS: www.example.com
DNS: api.example.com
DNS: *.app.example.com

All domains this cert covers.

Issuer Information:

  • Let's Encrypt: Free, automated
  • DigiCert/Sectigo: Paid, commercial
  • Self-signed: Red flag!

Common Certificate Issues

1. Certificate Expired

Valid Until: Dec 31, 2023 (EXPIRED)
Browser shows: "Your connection is not private"

Impact: Site appears broken Fix: Renew certificate immediately

2. Name Mismatch

Certificate: www.example.com
Visiting: example.com (no www)

Error: NET::ERR_CERT_COMMON_NAME_INVALID Fix: Add domain to SAN or redirect

3. Self-Signed Certificate

Issuer: example.com
Subject: example.com
(Same entity)

When OK: Development, internal tools When bad: Production websites

4. Weak Encryption

Signature Algorithm: SHA-1 (WEAK)
Key Size: 1024 bits (TOO SMALL)

Modern standards:

  • SHA-256 or better
  • 2048-bit RSA minimum
  • Or ECDSA P-256

Certificate Chain of Trust

How Trust Works

1. Root CA (in browser/OS)
   ↓
2. Intermediate CA
   ↓
3. Your Certificate

Checking the Chain

# View certificate chain
openssl s_client -connect example.com:443 -showcerts

# What you see:
Certificate chain
 0 s:/CN=example.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1

Chain Problems

Incomplete chain:

Server certificate: ✓
Intermediate: ✗ Missing
Root: (Can't verify)

Fix: Install intermediate certificates

Real Developer Scenarios

Scenario 1: Debugging Mixed Content

Certificate shows:

Valid SSL certificate ✓
But console errors: "Mixed Content Blocked"

Investigation:

  • HTTPS certificate is fine
  • Page loads HTTP resources
  • Browser blocks insecure content

Fix: Update all resources to HTTPS

Scenario 2: API Certificate Errors

Error in code:

fetch('https://api.partner.com')
// Error: unable to verify the first certificate

Certificate inspection shows:

  • Missing intermediate certificate
  • Works in browser (has cert cache)
  • Fails in Node.js

Fix:

// Temporary (dev only):
process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0;

// Proper fix: Get partner to fix cert chain

Scenario 3: Wildcard Limitations

Certificate:

CN: *.example.com

Works for:

Doesn't work for:

  • example.com ✗ (no subdomain)
  • api.v2.example.com ✗ (nested subdomain)

Certificate Types and Use Cases

1. Domain Validated (DV)

  • Validation: Own the domain
  • Cost: Free - $10/year
  • Example: Let's Encrypt
  • Use for: Most websites

2. Organization Validated (OV)

  • Validation: Business verification
  • Cost: $50-200/year
  • Shows: Company name
  • Use for: Business sites

3. Extended Validation (EV)

  • Validation: Extensive checks
  • Cost: $200-1000/year
  • Shows: Green bar (formerly)
  • Use for: Banks, e-commerce

4. Wildcard Certificates

  • Covers: *.domain.com
  • Cost: 2-3x single domain
  • Use for: Multiple subdomains
  • Limitation: One level only

Security Headers and Certificates

HSTS (HTTP Strict Transport Security)

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Effect: Forces HTTPS even if user types HTTP

Certificate Pinning

Public-Key-Pins: pin-sha256="base64..."; max-age=5184000

Warning: Deprecated, risky if misconfigured

Certificate Transparency

Expect-CT: max-age=86400, enforce

Purpose: Detect misissued certificates

Monitoring Certificate Health

1. Expiration Monitoring

# Check expiration
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

# Output:
notBefore=Jan  1 00:00:00 2024 GMT
notAfter=Mar 31 23:59:59 2024 GMT

2. Automated Checks

// Node.js certificate check
const https = require('https');

https.get('https://example.com', (res) => {
  const cert = res.connection.getPeerCertificate();
  const expiry = new Date(cert.valid_to);
  const daysLeft = Math.floor((expiry - Date.now()) / (1000 * 60 * 60 * 24));
  
  if (daysLeft < 30) {
    console.warn(`Certificate expires in ${daysLeft} days!`);
  }
});

3. Warning Signs

  • Expires in < 30 days
  • Self-signed in production
  • SHA-1 signature
  • 1024-bit keys
  • Missing SAN entries

Quick Certificate Debugging

Browser Check

  1. Click padlock icon
  2. "Connection is secure"
  3. "Certificate is valid"
  4. View certificate details

Command Line

# Quick SSL test
curl -vI https://example.com 2>&1 | grep -i ssl

# Full certificate info
openssl s_client -connect example.com:443 -servername example.com < /dev/null

# Certificate dates
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

Online Tools

  • SSL Labs (comprehensive test)
  • Why No Padlock (mixed content)
  • Certificate monitors

Best Practices

1. Automate Renewal

# Let's Encrypt auto-renewal
certbot renew --dry-run

# Cron job
0 0 * * * certbot renew --quiet

2. Monitor Everything

  • Expiration dates
  • Certificate changes
  • Chain completeness
  • Security warnings

3. Plan for Renewal

  • Set calendar reminders
  • Test renewal process
  • Have backup contacts
  • Document procedures

Certificate Checklist

When analyzing any HTTPS site:

  • Valid dates (not expired)
  • Correct domain match
  • Trusted issuer
  • Complete chain
  • Strong encryption
  • No mixed content warnings
  • Proper redirects (HTTP → HTTPS)

The Bottom Line

SSL certificates are your first line of defense. They ensure:

  • Privacy: Encrypted connections
  • Authenticity: Verified ownership
  • Trust: User confidence
  • SEO: Google ranking boost

Check certificates regularly. A broken cert means a broken site.


Check SSL certificates instantly: Fusebox shows certificate details, expiration warnings, and security issues while browsing. Stay secure. $29 one-time purchase.