SSL Certificate Glossary
Table of Contents
- Certificate Basics
- Certificate Types
- Certificate Authorities
- Keys and Cryptography
- Certificate Chain and Trust
- Certificate Formats
- Validation and Issuance
- Certificate Lifecycle
- Have More Questions?
Certificate Basics
HTTPS
HTTP over TLS. The encrypted version of web communication that uses an SSL certificate to secure the connection between a browser and a server.
Learn more:
SSL (Secure Sockets Layer)
The predecessor to TLS. Although TLS has replaced SSL, the term “SSL certificate” is still widely used to refer to certificates that enable encrypted HTTPS connections.
TLS (Transport Layer Security)
The current encryption protocol that secures HTTPS connections. TLS is the successor to SSL and is what modern browsers and servers use during the handshake process.
Learn more:
TLS Handshake
The initial negotiation between a client (browser) and server that establishes an encrypted connection. During the handshake, the server presents its certificate, the client verifies it, and both sides agree on encryption keys.
Learn more:
Mixed Content
An HTTPS page that loads some resources (images, scripts, stylesheets) over plain HTTP. Mixed content weakens security and causes browser warnings, because unencrypted resources can be intercepted or modified in transit.
Learn more:
Certificate Types
Domain Validated (DV) Certificate
A certificate where the CA verifies only that the requester controls the domain. All DNSimple certificates are domain-validated.
Learn more:
Extended Validation (EV) Certificate
The most rigorous CA validation level, requiring legal entity verification. DNSimple does not provide EV certificates.
Learn more:
Organization Validated (OV) Certificate
A certificate that verifies both domain ownership and organization identity. DNSimple does not provide OV certificates.
Learn more:
Single-Name Certificate
A certificate protecting exactly one hostname (e.g., www.example.com). For the www hostname, Sectigo single-name certificates also cover the root domain.
Learn more:
Wildcard Certificate
A certificate protecting all single-level subdomains of a domain (e.g., *.example.com covers www.example.com, mail.example.com, etc.), but not multi-level subdomains.
Learn more:
SAN (Subject Alternative Name)
An X.509 extension that allows a single certificate to cover multiple hostnames. Let’s Encrypt SAN certificates in DNSimple can cover up to 100 names.
Learn more:
Certificate Authorities
Certificate Authority (CA)
A trusted organization that verifies domain ownership (and sometimes organization identity) and issues SSL certificates. DNSimple uses Sectigo and Let’s Encrypt as CAs.
Learn more:
Let’s Encrypt
A free, automated, open certificate authority. Let’s Encrypt certificates in DNSimple are validated via DNS challenges and support auto-renewal. The domain must resolve with DNSimple.
Learn more:
Sectigo
A commercial certificate authority (formerly Comodo). Sectigo certificates in DNSimple are validated via email and cost $20 (single-name) or $100 (wildcard) per year.
Learn more:
Keys and Cryptography
Private Key
The secret key paired with a certificate. The server uses the private key to prove its identity during the TLS handshake and to establish encrypted connections. DNSimple generates private keys automatically unless you provide a custom CSR.
Learn more:
Certificate Signing Request (CSR)
An encoded block of text containing the public key and domain information, submitted to a CA to request a certificate. DNSimple generates CSRs automatically, but you can provide a custom CSR for Sectigo certificates.
Learn more:
RSA
Rivest-Shamir-Adleman. The traditional public-key algorithm, widely compatible across platforms and software. RSA keys are larger than ECDSA keys (2048+ bits).
Learn more:
ECDSA
Elliptic Curve Digital Signature Algorithm. A key algorithm that produces smaller, faster keys than RSA at equivalent security levels. DNSimple defaults to ECDSA (prime256v1) for new certificates.
Learn more:
- Elliptic Curve Cryptography (ECC) SSL Certificates
- How to Switch From an ECC-Signed Certificate to RSA
SHA-2 / SHA-256
The current standard hash algorithm used to sign certificates. All DNSimple certificates use SHA-256 signatures.
Learn more:
Certificate Chain and Trust
Certificate Chain
The sequence of certificates from the server certificate, through one or more intermediate certificates, up to the root certificate. Browsers follow this chain to verify that a certificate is trusted.
Learn more:
Root Certificate
The top-level certificate in the chain of trust. Root certificates are pre-installed in browsers and operating systems. A certificate is trusted only if its chain leads back to a recognized root.
Learn more:
Intermediate Certificate
A certificate between the server certificate and the root certificate in the chain of trust. CAs use intermediate certificates to sign server certificates, keeping the root certificate offline for security.
Learn more:
Certificate Formats
PEM
Privacy-Enhanced Mail. The most common Base64-encoded text format for certificates and keys. PEM files typically use .pem or .crt extensions and are the default format for Apache, Nginx, and most Unix/Linux platforms.
DER
Distinguished Encoding Rules. A binary encoding format for certificates. DER files use .der or .cer extensions and are used by some Java and Windows applications.
PFX / PKCS#12
A container format that bundles the certificate, intermediate chain, and private key into one encrypted file. PFX files use .pfx or .p12 extensions and are required for Microsoft IIS and Azure.
Validation and Issuance
Domain Validation (DV)
The process by which a CA confirms the certificate requester controls the domain. DNSimple supports email-based validation (Sectigo) and DNS-based validation (Let’s Encrypt).
Learn more:
Common Name (CN)
The hostname field in a certificate identifying which domain the certificate protects. For a wildcard certificate, the Common Name is *.example.com.
Learn more:
CAA Record
Certification Authority Authorization. A DNS record that specifies which CAs are allowed to issue certificates for a domain. If CAA records are present and the CA is not listed, the certificate request will fail.
Learn more:
ACME
Automated Certificate Management Environment. The protocol Let’s Encrypt uses for automated certificate issuance and renewal. DNSimple handles ACME challenges automatically for Let’s Encrypt certificates.
Certificate Lifecycle
Auto-Renewal
Automatic certificate renewal before expiration. In DNSimple, auto-renewal is supported for Let’s Encrypt certificates. Sectigo certificates must be reordered manually.
Learn more:
Reissue (Re-Key)
Generating a new private key and certificate for an existing certificate order, without purchasing a new certificate. Reissuing is useful if the private key has been compromised or if you need to change the certificate’s key algorithm.
Learn more:
Renewal
Purchasing a new certificate to replace one that is expiring. In DNSimple, renewing creates a new certificate order associated with the previous one, with some settings pre-filled.
Learn more:
Have More Questions?
If you have any questions about SSL certificate terminology, contact support, and we’ll be happy to help.