SSL/TLS Certificate Management Guide
Best practices for managing SSL/TLS certificates across your infrastructure.
Certificate Types
SSL/TLS certificates come in three validation levels:
- Domain Validation (DV) — Proves domain ownership. Issued in minutes. Free from Let's Encrypt
- Organization Validation (OV) — Verifies the organization's identity. Takes 1-3 days
- Extended Validation (EV) — Rigorous verification of legal entity. Shows organization name in some browsers
For most websites, DV certificates provide sufficient security. OV/EV add trust signals but do not provide stronger encryption.
Automated Certificate Management
Manual certificate management does not scale. Use automation:
# Let's Encrypt with certbot
sudo certbot --nginx -d example.com -d www.example.com
# Auto-renewal (usually installed by default)
sudo certbot renew --dry-run
For cloud deployments, use managed certificate services (AWS Certificate Manager, Google-managed SSL) that handle renewal automatically.
Certificate Monitoring
Expired certificates cause outages and security warnings. Monitor proactively:
- Certificate Transparency (CT) logs — Detect unauthorized certificate issuance for your domains
- Monitoring tools — Services like UptimeRobot or custom scripts check certificate expiry dates
- Alerts — Set alerts for certificates expiring within 30 days
Best Practices
Use short-lived certificates (90 days, as Let's Encrypt does) to limit the impact of key compromise. Deploy HSTS headers to prevent SSL stripping attacks. Use OCSP stapling to reduce the latency of certificate validation. Keep your private keys secure — never store them in version control or share them across services.