HTTPS is no longer optional. Google Chrome marks HTTP sites as "Not Secure." Google Search penalizes HTTP sites in rankings. Browsers block mixed content. Modern web features (geolocation, service workers, HTTP/2, and many JavaScript APIs) only work over HTTPS. And most importantly, without HTTPS, every piece of data your users send — passwords, personal information, payment details — travels across the internet in plain text, visible to anyone on the network path.
Despite its importance, SSL/TLS configuration remains one of the most misunderstood aspects of web security. This guide explains how TLS works, how to get and install certificates, and how to configure them correctly for maximum security and compatibility.
How TLS Actually Works
When a browser connects to your HTTPS server, a TLS handshake occurs before any application data is exchanged. Understanding this process helps you diagnose connection problems and make informed configuration decisions.
The client sends a "Client Hello" message listing the TLS versions and cipher suites it supports. The server responds with a "Server Hello," selecting the TLS version and cipher suite to use, and sends its certificate. The client verifies the certificate against its trusted certificate authority (CA) store. The client and server negotiate a shared encryption key using asymmetric cryptography. All subsequent communication is encrypted with this shared key using symmetric encryption.
TLS 1.3 (the current version) simplifies this handshake, completing it in one round trip instead of two, which improves connection latency. It also removes support for older, insecure cipher suites, making configuration simpler and more secure by default.
Certificate Types
Domain Validated (DV) certificates verify that you control the domain. They are issued in minutes and cost nothing (from Let's Encrypt) or very little. DV certificates are sufficient for the vast majority of websites. The padlock in the browser looks the same regardless of certificate type.
Organization Validated (OV) certificates verify your domain ownership and your organization's identity through business registration checks. They take 1 to 3 days to issue and cost $50 to $200 per year. Wildcard certificates cover all subdomains of a domain. Extended Validation (EV) certificates require the most thorough identity verification but no longer display differently in modern browsers — they are rarely worth the cost unless required by specific compliance frameworks.
Getting Free Certificates with Let's Encrypt
Let's Encrypt is a free, automated, non-profit certificate authority that issues DV certificates. It has revolutionized web security by eliminating cost as a barrier to HTTPS adoption. Over 300 million websites now use Let's Encrypt certificates.
Install Certbot, the official Let's Encrypt client, and it will obtain certificates and configure your web server automatically. Certbot handles the domain validation challenge (proving you control the domain), certificate issuance, web server configuration, and automatic renewal every 60 days. The entire process takes less than 5 minutes for a standard setup.
For more complex setups (wildcard certificates, DNS-based validation, or servers behind load balancers), Certbot supports DNS challenges that work with dozens of DNS providers. Alternative clients like acme.sh provide additional flexibility for scripted and automated environments.
Installing Certificates on Your Web Server
For Nginx, the configuration involves specifying the certificate file, private key file, and TLS protocol versions. Enable TLS 1.2 and 1.3 only — all earlier versions have known vulnerabilities. Configure strong cipher suites that prioritize AEAD ciphers (AES-GCM and ChaCha20-Poly1305). Enable HSTS (HTTP Strict Transport Security) to tell browsers to always use HTTPS for your domain.
For Apache, the configuration is similar but uses different directives. The key settings are the same: specify certificate and key files, restrict protocols to TLS 1.2 and 1.3, use strong ciphers, and enable HSTS.
After installation, test your configuration at SSL Labs (ssllabs.com/ssltest). Aim for an A+ rating. The test checks your certificate chain, protocol support, cipher suites, and TLS features, providing specific recommendations for any issues found.
Common Mistakes and How to Avoid Them
The most common mistake is letting certificates expire. An expired certificate causes browsers to display a full-screen warning that prevents users from accessing your site. Set up automated renewal with Certbot and monitoring alerts that notify you 14 days before expiration.
Missing intermediate certificates cause "certificate not trusted" errors on some devices but not others. Always serve the complete certificate chain — your certificate plus all intermediate CA certificates. Certbot handles this automatically, but manual installations often miss it.
Mixed content (loading HTTP resources on an HTTPS page) triggers browser warnings and can break functionality. Audit your site for any resources loaded over HTTP — images, scripts, stylesheets, fonts, and API calls all need to use HTTPS.
Using outdated protocols (TLS 1.0 and 1.1) exposes your server to known attacks. Disable them and only support TLS 1.2 and 1.3. Check compatibility requirements — TLS 1.2 is supported by all browsers released since 2013, so dropping older versions should not affect any real users.
Advanced Configuration
OCSP Stapling improves TLS handshake performance by including the certificate's revocation status in the server response, eliminating the need for the client to make a separate request to the CA. Configure your web server to fetch and cache OCSP responses.
Certificate Transparency (CT) logs provide a public, append-only record of all issued certificates for your domain. Monitor CT logs to detect unauthorized certificates — if someone obtains a certificate for your domain without your knowledge, CT logs will reveal it.
CAA (Certification Authority Authorization) DNS records specify which CAs are allowed to issue certificates for your domain. This prevents unauthorized CAs from issuing valid certificates for your domain, even if they are compromised.
The Future of TLS
TLS 1.3 has become the standard, with over 70 percent of HTTPS connections now using it. Post-quantum cryptography is being standardized to protect against future quantum computing threats — NIST has finalized several post-quantum algorithms, and TLS implementations are beginning to add support. Plan for a transition to post-quantum TLS within the next 3 to 5 years.
ZeonEdge configures SSL/TLS automatically for all hosted services, with A+ SSL Labs ratings and automatic certificate renewal. Learn more about our secure hosting services.
Sarah Chen
Senior Cybersecurity Engineer with 12+ years of experience in penetration testing and security architecture.