A TLS certificate (also called an SSL certificate) is a digital certificate that proves a website is secure and trustworthy. It enables HTTPS, which encrypts the data between a user's browser and the server.
When you visit a website with HTTPS (like https://example.com), your browser checks the TLS certificate to make sure:
- It's valid
- It's issued by a trusted Certificate Authority (CA)
- It's not expired
- It matches the domain name
Real Example
Let's look at the TLS certificate for https://www.google.com
Using CLI, you can get a certificate details:
echo | openssl s_client -showcerts -servername google.com -connect google.com:443 2>/dev/null | openssl x509 -inform pem -noout -textYou will get decoded certificate, which looks like this:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
9a:59:e3:69:20:54:81:cc:09:2f:9e:71:4d:cf:0b:42
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, O=Google Trust Services, CN=WE2
Validity
Not Before: Mar 20 11:18:50 2025 GMT
Not After : Jun 12 11:18:49 2025 GMT
Subject: CN=*.google.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:81:de:88:48:63:00:73:1b:60:b7:5f:7a:d1:93:
a1:a8:50:ea:59:f0:eb:f8:3d:aa:41:7e:48:e3:1d:
f1:16:57:c9:cf:41:c5:b0:c7:3e:4b:bc:00:c9:75:
25:91:b7:eb:e6:a3:03:73:cf:25:59:98:5f:76:d7:
3c:06:5e:9e:26
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
92:E6:2F:BA:C3:C2:DF:E6:3F:94:AE:58:48:6C:BB:B5:80:ED:AF:91
X509v3 Authority Key Identifier:
75:BE:C4:77:AE:89:F6:44:37:7D:CF:B1:68:1F:1D:1A:EB:DC:34:59
Authority Information Access:
OCSP - URI:http://o.pki.goog/we2
CA Issuers - URI:http://i.pki.goog/we2.crt
X509v3 Subject Alternative Name:
DNS:*.google.com, DNS:*.appengine.google.com, DNS:*.bdn.dev, DNS:*.origin-test.bdn.dev, DNS:*.cloud.google.com, DNS:*.crowdsource.google.com, DNS:*.datacompute.google.com, DNS:*.google.ca, DNS:*.google.cl, DNS:*.google.co.in, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google.com.ar, DNS:*.google.com.au, DNS:*.google.com.br, DNS:*.google.com.co, DNS:*.google.com.mx, DNS:*.google.com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.google.es, DNS:*.google.fr, DNS:*.google.hu, DNS:*.google.it, DNS:*.google.nl, DNS:*.google.pl, DNS:*.google.pt, DNS:*.googleapis.cn, DNS:*.googlevideo.com, DNS:*.gstatic.cn, DNS:*.gstatic-cn.com, DNS:googlecnapps.cn, DNS:*.googlecnapps.cn, DNS:googleapps-cn.com, DNS:*.googleapps-cn.com, DNS:gkecnapps.cn, DNS:*.gkecnapps.cn, DNS:googledownloads.cn, DNS:*.googledownloads.cn, DNS:recaptcha.net.cn, DNS:*.recaptcha.net.cn, DNS:recaptcha-cn.net, DNS:*.recaptcha-cn.net, DNS:widevine.cn, DNS:*.widevine.cn, DNS:ampproject.org.cn, DNS:*.ampproject.org.cn, DNS:ampproject.net.cn, DNS:*.ampproject.net.cn, DNS:google-analytics-cn.com, DNS:*.google-analytics-cn.com, DNS:googleadservices-cn.com, DNS:*.googleadservices-cn.com, DNS:googlevads-cn.com, DNS:*.googlevads-cn.com, DNS:googleapis-cn.com, DNS:*.googleapis-cn.com, DNS:googleoptimize-cn.com, DNS:*.googleoptimize-cn.com, DNS:doubleclick-cn.net, DNS:*.doubleclick-cn.net, DNS:*.fls.doubleclick-cn.net, DNS:*.g.doubleclick-cn.net, DNS:doubleclick.cn, DNS:*.doubleclick.cn, DNS:*.fls.doubleclick.cn, DNS:*.g.doubleclick.cn, DNS:dartsearch-cn.net, DNS:*.dartsearch-cn.net, DNS:googletraveladservices-cn.com, DNS:*.googletraveladservices-cn.com, DNS:googletagservices-cn.com, DNS:*.googletagservices-cn.com, DNS:googletagmanager-cn.com, DNS:*.googletagmanager-cn.com, DNS:googlesyndication-cn.com, DNS:*.googlesyndication-cn.com, DNS:*.safeframe.googlesyndication-cn.com, DNS:app-measurement-cn.com, DNS:*.app-measurement-cn.com, DNS:gvt1-cn.com, DNS:*.gvt1-cn.com, DNS:gvt2-cn.com, DNS:*.gvt2-cn.com, DNS:2mdn-cn.net, DNS:*.2mdn-cn.net, DNS:googleflights-cn.net, DNS:*.googleflights-cn.net, DNS:admob-cn.com, DNS:*.admob-cn.com, DNS:googlesandbox-cn.com, DNS:*.googlesandbox-cn.com, DNS:*.safenup.googlesandbox-cn.com, DNS:*.gstatic.com, DNS:*.metric.gstatic.com, DNS:*.gvt1.com, DNS:*.gcpcdn.gvt1.com, DNS:*.gvt2.com, DNS:*.gcp.gvt2.com, DNS:*.url.google.com, DNS:*.youtube-nocookie.com, DNS:*.ytimg.com, DNS:android.com, DNS:*.android.com, DNS:*.flash.android.com, DNS:g.cn, DNS:*.g.cn, DNS:g.co, DNS:*.g.co, DNS:goo.gl, DNS:www.goo.gl, DNS:google-analytics.com, DNS:*.google-analytics.com, DNS:google.com, DNS:googlecommerce.com, DNS:*.googlecommerce.com, DNS:ggpht.cn, DNS:*.ggpht.cn, DNS:urchin.com, DNS:*.urchin.com, DNS:youtu.be, DNS:youtube.com, DNS:*.youtube.com, DNS:music.youtube.com, DNS:*.music.youtube.com, DNS:youtubeeducation.com, DNS:*.youtubeeducation.com, DNS:youtubekids.com, DNS:*.youtubekids.com, DNS:yt.be, DNS:*.yt.be, DNS:android.clients.google.com, DNS:*.android.google.cn, DNS:*.chrome.google.cn, DNS:*.developers.google.cn, DNS:*.aistudio.google.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://c.pki.goog/we2/xuzt3PU9F_w.crl
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : CF:11:56:EE:D5:2E:7C:AF:F3:87:5B:D9:69:2E:9B:E9:
1A:71:67:4A:B0:17:EC:AC:01:D2:5B:77:CE:CC:3B:08
Timestamp : Mar 20 12:18:56.618 2025 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:3A:82:2A:9B:01:F1:18:46:DA:4F:C8:74:
83:8E:07:93:86:AD:FF:DE:E8:49:E4:C2:68:D4:C0:85:
76:ED:9A:D3:02:20:0B:6A:90:A0:FE:FB:C4:DA:CF:61:
C0:EC:62:EE:76:73:EF:C0:96:1D:63:F9:B5:3C:A0:3E:
35:0A:BC:C1:B0:17
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : E6:D2:31:63:40:77:8C:C1:10:41:06:D7:71:B9:CE:C1:
D2:40:F6:96:84:86:FB:BA:87:32:1D:FD:1E:37:8E:50
Timestamp : Mar 20 12:18:57.585 2025 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:DA:4A:51:5F:E0:D9:3F:7B:BA:DE:8F:
F7:1D:67:79:83:13:68:D8:40:F6:80:6A:2D:C5:2C:AE:
A1:26:40:BA:C6:02:20:61:24:F1:2F:0D:66:23:88:4A:
13:CB:AA:F9:84:77:72:7F:CF:23:7D:7A:81:52:59:7A:
83:7D:E5:C5:25:C5:26
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:45:02:20:19:91:27:bb:9e:cd:0b:d5:18:c4:67:2e:70:43:
59:b0:79:39:4b:1e:ec:ad:03:81:10:15:b9:bd:78:af:c8:4f:
02:21:00:cb:c0:0a:81:91:00:73:d6:31:54:d3:7f:28:eb:ec:
60:e6:7f:7d:1d:9e:b4:5f:f0:98:7b:25:ca:de:1f:2c:5dMain details of Google's TLS certificate
Common Name (CN): *.google.com
→ This is a wildcard certificate that covers all Google subdomains (like mail.google.com, docs.google.com, etc.).
Issued By: Google Trust Services, CN=WE2
→ The certificate was issued by Google’s own trusted Certificate Authority.
Validity Period:
Start: March 20, 2025
End: June 12, 2025
→ The certificate is valid for about 3 months.
Signature Algorithm: ECDSA with SHA-256
→ A modern, secure digital signature algorithm.
Public Key Type: Elliptic Curve (P-256) with a 256-bit key
→ Efficient and secure cryptography.
Key Usage: Digital Signature
Extended Key Usage: TLS Web Server Authentication
→ The certificate is used for authenticating secure web servers.
Subject Alternative Names (SAN):
→ Covers hundreds of domains and subdomains, including:
*.google.com, *.youtube.com, *.gstatic.com, *.android.com, google.com, youtu.be, etc.
(Also includes many .cn domains for Chinese services.)
Certificate Policies: Standard public certificate policy OID: 2.23.140.1.2.1
🧾 OCSP & CRL URLs:
→ For real-time revocation checks and CRL (Certificate Revocation List)
Certificate Transparency (CT) Logs:
→ Contains signed timestamps from two CT logs, proving the certificate was publicly logged.
How to Know if an Issuer is Trustable
When you see something like this:
Issuer: C=US, O=Google Trust Services, CN=WE2You're looking at the Certificate Authority (CA) that signed the certificate. But how do you know it's legit?
Here’s how to check.
Check If It’s in the Trusted Root Store
Operating systems (like Windows, macOS, Linux) and browsers (Chrome, Firefox) have a built-in list of trusted CAs, called a trusted root store.
If the issuer’s root or intermediate certificate is in that list, it's considered trustworthy.
How to check:
- Open your browser.
- Go to the website using the cert (e.g., https://www.google.com).
- Click the padlock icon → View certificate details.
- Check the certificate chain — if it says “trusted”, your browser already trusts the issuer.
In this case, Google Trust Services (CN=WE2) is trusted because:
- It chains up to a trusted root certificate.
- Google Trust Services is a publicly recognized Certificate Authority.
Look Up the CA in the Certificate Transparency Logs
You can search for Google Trust Services / WE2 in public Certificate Transparency (CT) logs:
crt.sh
Google Certificate Transparency
This shows how many certificates the CA has issued and confirms it’s active and used widely.
Verify on CA’s Official Site
You can check the issuer by name:
Google Trust Services CA info:
pki.goog
This is Google's official site for their public CAs, including WE2.
Get Notified with a Telegram Bot
Want to automate TLS monitoring and get notified before a certificate expires? Use Telegram Bot that can monitor TLS certificate expiration for you.