Contents
5 sections · 6 min read
Padlock icon with SSL certificate details showing encryption and domain verification
Domain Security

What Is an SSL Certificate? How HTTPS Works in Plain English

A
Domain 360 Team
·June 26, 2026·6 min read

Every website you visit with a padlock in the address bar has an SSL certificate. Most users take this for granted, and most website owners install one without fully understanding what it does. Here is the clear explanation.

Two Things SSL Does

SSL certificates serve two distinct purposes that are easy to confuse.

Encryption: They enable an encrypted channel between the browser and the server. Data sent through this channel — form submissions, login credentials, payment details, personal information — cannot be read by anyone intercepting the connection, including ISPs, network operators on shared Wi-Fi, and attackers.

Authentication: They prove that the server is operated by whoever claims to control the domain. The certificate contains the domain name and is signed by a Certificate Authority — a trusted third party that has verified (to some degree, depending on certificate type) that the applicant controls the domain.

Both matter. Encryption without authentication means you are sending data securely to an unverified destination. Authentication without encryption means you know who you are talking to, but the conversation is public.

How SSL Certificates Work: The Short Version

When your browser connects to an https site, it performs a TLS handshake before any actual data is transferred:

  1. The server sends its SSL certificate to the browser.
  2. The browser checks whether the certificate was issued by a trusted Certificate Authority (the browser has a built-in list of trusted CAs), whether the domain in the certificate matches the domain being visited, and whether the certificate has not expired.
  3. If all checks pass, the browser and server use the certificate to establish an encrypted session key.
  4. All subsequent communication is encrypted with that session key.

This entire handshake happens in milliseconds before the page loads.

Certificate Authorities

A Certificate Authority (CA) is an organisation that issues SSL certificates after verifying the applicant's right to use the domain. The browser's trust in an SSL certificate traces back to its trust in the CA — browsers include a root certificate list of CAs they recognise.

The verification process varies by certificate type. Domain Validation (DV) certificates, including free Let's Encrypt certificates, require only proof of domain control — a file placed on the server or a DNS record. Organisation Validation (OV) certificates verify the organisation's legal existence. Extended Validation (EV) certificates require more extensive verification. Our SSL certificate types guide covers the differences.

Free SSL vs Paid SSL

Let's Encrypt, run by the Internet Security Research Group, issues free Domain Validation certificates valid for 90 days with automatic renewal. These are technically identical to paid DV certificates from commercial CAs — the encryption and domain verification are the same. The differences are in support, warranty, and additional validation levels.

For most websites — especially informational sites, blogs, and small e-commerce — Let's Encrypt certificates are completely appropriate. Our free SSL certificate guide covers how to obtain and install one.

SSL and Domain Names

An SSL certificate is issued for specific domain names. A certificate for example.com does not cover www.example.com or api.example.com (unless it is a wildcard certificate for *.example.com). When an SSL error shows the certificate hostname mismatch, it means the certificate does not list the exact domain being visited.

SSL certificates are tied to domain names — and that creates a dependency on the domain being registered. When a domain expires, the website and email stop working, and the SSL certificate becomes meaningless (there is no server to terminate connections on). This is why maintaining domain registration is foundational: an expired domain invalidates not just DNS records but the entire certificate infrastructure built on top of it.

Independent domain expiry monitoring via a domain management dashboard is the practical safeguard for everything built on your domain.

Never lose a domain again

Track every domain you own in one dashboard. Free for up to 15 domains.