TLS certificates are the most widely deployed type of digital certificate. They secure every HTTPS connection on the internet, authenticating servers, enabling encryption, and protecting data in transit between browsers and websites.
When you see a padlock in your browser's address bar, you are looking at a TLS certificate in action. Transport Layer Security (TLS) is the protocol that encrypts communication between your browser and a web server, and TLS certificates are the digital certificates that make it possible.
You may still hear people refer to "SSL certificates." Secure Sockets Layer (SSL) was the original protocol developed by Netscape in the mid-1990s. SSL 3.0, released in 1996, was the last version before the protocol was renamed and redesigned as TLS 1.0 in 1999. Today, all versions of SSL are deprecated and considered insecure. TLS 1.2 (2008) and TLS 1.3 (2018) are the versions in active use. The term "SSL certificate" persists in marketing and conversation, but the technology behind it is TLS. Throughout this guide, we use "TLS certificate" to be precise.
TLS certificates serve two critical functions: they authenticate the server (proving you are connecting to the real website and not an impersonator) and they enable encryption (ensuring data exchanged between your browser and the server cannot be read or tampered with by anyone on the network).
The browser sends a "Client Hello" message to the server, indicating the TLS versions and cipher suites it supports, along with a randomly generated value. In TLS 1.3, the client also sends its key share in this first message, reducing the handshake to a single round trip.
The server responds with its chosen cipher suite, its own random value, its key share, and, critically, its TLS certificate. The certificate contains the server's public key and is signed by a trusted Certificate Authority.
The browser verifies the certificate: Is the CA trusted? Has the certificate expired? Has it been revoked? Does the domain name in the certificate match the URL? If any check fails, the browser shows a security warning and the connection is aborted.
Using the key shares exchanged in the hello messages, both sides derive the same session keys through a Diffie-Hellman exchange. These symmetric keys encrypt all subsequent communication. The private keys are never transmitted; only the key shares needed to derive the session keys.
A wildcard certificate secures a domain and all its subdomains at one level. For example, a certificate for *.example.com covers www.example.com, api.example.com, and mail.example.com. It does not cover multi-level subdomains like staging.api.example.com. Wildcards simplify management but require careful handling: if the private key is compromised, all subdomains are affected.
Subject Alternative Name (SAN) certificates can include multiple distinct domain names in a single certificate. For example, one certificate could cover example.com, example.org, and shop.example.net. SAN certificates are common in cloud environments and CDN deployments where a single server hosts many different domains.
Use wildcard certificates when you have many subdomains under a single domain and want simplified management. Use SAN certificates when you need to secure unrelated domains or a mix of domains and subdomains. Some certificates combine both, using wildcard entries within a SAN list.
Both wildcard and SAN certificates increase the blast radius of a private key compromise. If the key is leaked, every domain on the certificate is at risk. Organizations should weigh convenience against risk, use strong key protection, and consider shorter-lived certificates to limit exposure.
Automate renewals at scale — Evertrust CLM automates the full TLS certificate lifecycle, from request through issuance to deployment and renewal, using ACME and native integrations with web servers, load balancers, and cloud platforms. When lifespans drop to 47 days, your renewals happen automatically.
Discover every TLS certificate — Network scanning, CT log monitoring, and endpoint discovery build a complete inventory of all TLS certificates across your infrastructure, including those procured outside of IT. No more surprise expirations.
Prevent outages — Real-time monitoring with configurable alerts ensures no certificate expires unnoticed. Dashboards show expiration timelines, compliance status, and certificates at risk, giving your team full visibility and time to act.
Work with any CA — Evertrust is CA-agnostic. Whether your TLS certificates come from Let's Encrypt, DigiCert, Sectigo, or your own private CA, CLM manages them all from a single platform.
