X.509 Certificates, SSL Certificates, TLS Certificates… What’s the difference?


We receive numerous inquiries regarding the different types of digital encryption certificates & protocols, what they are, how they work, and what the difference is between them. This article will explain the differences in a practical manner than doesn’t require advanced technical knowledge to understand.

X.509 certificates include multiple varieties that perform different functions.

X.509 is a standard defining the format of public key certificates.An X.509 certificate is a digital certificate that uses the widely accepted international X.509 public key infrastructure (PKI) standard to verify that a public key belongs to the hostname/domain, organization, or individual contained within the certificate. The X.509 certificate is either signed by a publicly trusted (meaning browsers trust it) Certificate Authority (Like DigiCert, Sectigo, GlobalSign, etc.) or self-signed. When a certificate is signed by a trusted certificate authority, or validated by other means, someone holding that certificate can rely on the public key it contains to establish secure communications with another party, or validate documents digitally signed by the corresponding private key.

X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS. SSL and TLS are both network protocols that allow data to be transferred privately and securely between a web server and a web browser. With SSL/TLS being the majority use case of X.509 certificate use cases, we’ll clarify the difference between SSL and TLS.

Secure Sockets Layer (SSL) is the predecessor to TLS.

SSL is a cryptographic protocol designed to secure network communications . Netscape introduced SSLv2.0 in 1995, and after vulnerabilities were discovered, SSLv3.0 was created. In 1999 TLS v1.0 was introduced after SSLv3 was considered insecure due to the POODLE attack. The POODLE attack exploiting SSLv3 in 1999 created the introduction of TLS v1.0. Some applications, such as browsers, are compatible with some of the SSL protocol versions, although SSL has been phased out in favor of the better TLS security.

Transport Layer Security (TLS) is the CURRENT encryption standard.

Like SSL, TLS is a cryptographic protocol used by websites to secure communications between their servers and web browsers. TLS replaced the older SSL protocol as the encryption standard protocol. This change was made mostly to avoid legal issues with the Netscape company, creator of SSL, so that the protocol could be developed as an open standard, free for all. TLS v1.3 is the current default standard protocol.

Should my website be using an SSL or TLS type X.509 certificate?

“SSL/TLS Certificate” is the phrase used by many X.509 certificate vendors, but in reality they’re all actually X.509 certificates which can be used for SSL or TLS, since the protocols are determined by your server configuration, not the certificates themselves. If you want to check the protocols enabled on your server for a specific domain, the Secure128/SSL labs tool is an excellent resource. While more people are becoming more familiar with the term TLS, It’s likely we’ll continue to see X.509 certificates encrypting website communications referred to as SSL Certificates because at this point that’s the term more people are familiar with. SSL/TLS is the compromise term until TLS becomes the standard verbiage among encryption users.