SSL Certificates in Practice: Getting HTTPS Working on a Real Deployment

You know HTTPS keeps traffic encrypted — but how do you actually get a certificate onto a live server and keep it valid? Learn what an SSL certificate really is, how issuance and renewal work, where files live, and the practical gotchas that bite real deployments.

Published October 28, 202610 min readBy ACY Partner Indonesia
SSL certificates in practice — getting HTTPS working on a live deployment
300 × 250Ad Space AvailablePlace your ad here

There’s a moment in almost every deployment where the app works perfectly over plain HTTP, the team is happy, and then someone opens the site in a browser and sees a big red “Not secure” warning. Suddenly the question stops being theoretical. You don’t just need to know that HTTPS uses certificates — you need a real certificate, installed on a real server, trusted by real browsers, and you need it to keep working next month without anyone babysitting it.

This article is about that practical side. We’ll assume you already grasp the idea that HTTPS encrypts traffic — if the underlying handshake is still fuzzy, the conceptual companion to this piece is SSL, TLS, and HTTPS. Here, the goal is different: how a certificate actually gets onto a box, what files you’re dealing with, how renewal works, and the small mistakes that turn a five-minute task into a stressful afternoon.

What an SSL certificate actually is

Strip away the jargon and a certificate is a small file that does two jobs at once. First, it carries a public key that lets a browser set up encryption with your server. Second, it carries a signed statement that says, in effect, “a trusted authority checked that whoever controls this certificate also controls the domain example.com.” That second part is the whole point. Encryption alone is easy; proving you are who you say you are is the hard problem a certificate solves.

The signature comes from a Certificate Authority (CA) — an organization that browsers and operating systems already trust by default. When a visitor connects, their browser checks the chain: your certificate is signed by the CA, the CA is on the browser’s built-in trust list, the domain matches, and the date hasn’t expired. If every link holds, you get the padlock. If any link breaks, the browser throws a warning and most users leave.

SSL or TLS?

You’ll see “SSL certificate” everywhere, but the actual protocol securing your traffic today is TLS — SSL is the older, now-retired version. The name “SSL certificate” simply stuck around out of habit. The certificate file itself isn’t really SSL or TLS; it’s just a credential both protocols use. So when a host advertises “free SSL,” they mean a certificate that works with modern TLS. Don’t let the naming confuse you.

The cast of files you’ll meet

When you provision a certificate, you don’t get a single magic file — you get a small set, and knowing what each one is saves a lot of confusion. Here’s the typical lineup:

  • Private key — a secret file (often privkey.pem or something.key) generated on your server. This never leaves the machine and is never shared. If it leaks, your certificate is compromised. Everything else can be public; this one cannot.
  • Certificate — the signed public file (cert.pem or something.crt) that proves your domain. This is what the CA hands back to you.
  • Chain / intermediate certificate — one or more files that connect your certificate up to the CA’s root. Browsers need this to verify the trust path. Forgetting it is the single most common “works on my machine, fails for users” bug.
  • Fullchain — many tools bundle your certificate plus the chain into one convenient file (fullchain.pem) so the server can serve everything in the right order.
   how the trust chain links together

   Root CA          (trusted by the browser already)
      │  signs

   Intermediate CA  (the "chain" file)
      │  signs

   Your certificate (cert.pem — your domain)
      │  pairs with

   Private key      (privkey.pem — secret, stays on server)

The browser walks up that chain. It starts with your certificate, follows the chain to a root it trusts, and only then decides you’re legitimate. Serve the chain incorrectly and some browsers (often older ones or non-browser clients like mobile apps) will reject the connection even though your certificate is perfectly valid.

How a certificate gets issued

Behind every certificate is a small ritual called the issuance flow. Understanding it demystifies why the automated tools do what they do.

  1. Generate a key pair. Your server creates a private key (kept secret) and a matching public key.
  2. Create a CSR. You bundle the public key plus details like your domain name into a Certificate Signing Request and send it to the CA. The CSR never contains your private key.
  3. Prove you control the domain. The CA challenges you to demonstrate ownership — usually by placing a specific file at a path on your site, or adding a specific DNS record. This is domain validation, and it’s why you can’t just request a certificate for a domain you don’t own.
  4. Receive the signed certificate. Once validation passes, the CA signs your certificate and sends it back, along with the chain.
  5. Install it. You point your server software at the certificate, the chain, and the private key, and reload. Traffic is now encrypted and trusted.

For years this was a manual, sometimes paid, often annoying process. Then the ACME protocol standardized all of it, and free CAs made certificates automatic and zero-cost. Today a single command on your server can run the entire flow — generate the key, submit the CSR, answer the validation challenge, fetch the certificate, and install it — in a few seconds.

Domain validation, in plain terms

The two common validation methods map neatly to two situations. HTTP validation asks you to serve a token file from your live site — simple, but it requires the site to already be reachable on the domain. DNS validation asks you to add a TXT record — slightly more setup, but it works even before the server is live and is the only option for wildcard certificates (one cert covering *.example.com). If you’re issuing for a domain that isn’t pointed at the server yet, reach for DNS validation. The companion piece on domains and DNS explains the record types this relies on.

Certificates expire — and that’s by design

Here’s the fact that catches most people off guard: certificates are short-lived on purpose. A typical free certificate is valid for around 90 days, and the industry has been steadily pushing that window shorter, not longer. It feels inconvenient, but it’s a deliberate security trade-off. If a private key is ever quietly compromised, a short lifetime limits how long the damage can last. A certificate that’s valid for years is a long-lived liability.

The catch is obvious: a certificate that expires every 90 days is a recurring chore, and a forgotten renewal means your whole site goes dark behind a scary browser warning. The answer is automated renewal. The same tooling that issues certificates can be scheduled to check them regularly and renew before they expire — typically with a window of several weeks to spare, so a single failed attempt isn’t a catastrophe.

# the shape of a typical automated-renewal check
# (run on a schedule, e.g. twice a day)

renew-certificates --check
# → certificate for example.com expires in 27 days → renewing...
# → certificate for example.com expires in 81 days → nothing to do

The key mental model: issuance is a one-time event, renewal is a forever process. A deployment isn’t “done” with HTTPS the moment the padlock appears. It’s done when renewal is automated and something tells you if that automation ever fails.

The number-one HTTPS outage: forgotten renewal

Far more sites go down from an expired certificate than from any clever attack. The automation was set up once, then the server was rebuilt, or the cron job silently broke, or the renewal needed a port that a new firewall rule had since closed. Two habits prevent almost all of these: (1) confirm the renewal job actually ran successfully at least once after setup, not just that it’s scheduled, and (2) add expiry monitoring that alerts you weeks ahead — an external check that simply watches the certificate’s expiry date is enough. Treat a renewal that hasn’t proven itself as not done.

After install: making HTTPS actually stick

Getting a valid certificate served is the milestone, but a production-grade setup usually adds a few finishing touches so visitors land on the secure version every time.

  • Redirect HTTP to HTTPS. With a certificate in place you can still be reached over plain http://. A redirect rule sends every such request to the https:// version, so no one accidentally browses unencrypted.
  • HSTS. A response header (HTTP Strict Transport Security) tells browsers to only ever use HTTPS for your domain going forward, even if a user types http:// or clicks an old link. It closes the brief window before the redirect kicks in. Turn it on only once you’re confident HTTPS is solid, because it’s sticky by design.
  • Cover every name. A certificate is issued for specific names. If you serve both example.com and www.example.com, both need to be on the certificate, or one of them will throw a warning. Listing the names you actually use is a quick check that saves a confusing bug report later.
  • Mind the renewal’s needs. HTTP validation needs a specific path reachable on port 80; DNS validation needs API access to your DNS. Whatever method renewal uses, make sure nothing in your deployment (a firewall rule, a blanket redirect, a locked-down DNS) quietly breaks it down the line.

If you’re deploying behind a load balancer or a managed platform, the certificate often lives at that edge layer rather than on each individual server — the platform terminates TLS for you. The concepts are identical; only the place the certificate sits changes. This is a natural extension of the ideas in how deployment works, where the request first hits an edge before reaching your application.

Why this matters beyond the padlock

It’s tempting to treat HTTPS as a checkbox — get the padlock, move on. But the certificate is doing real, ongoing work every second your site is live. It’s the reason a visitor’s password isn’t readable by anyone on the same coffee-shop Wi-Fi, the reason a payment form can be trusted, and the reason browsers and search engines treat your site as legitimate rather than flagging it. Modern browsers increasingly refuse to load insecure content, and many web features simply won’t run without HTTPS at all.

So the practical skill here isn’t a one-off command you memorize. It’s the mindset: a certificate is a credential with an expiry date, tied to a domain, backed by a chain of trust, and kept alive by automation you can verify. Get that loop right once, and HTTPS stops being a fire drill and becomes the quiet, boring infrastructure it’s supposed to be.

Wrapping up

The whole picture, condensed:

  • An SSL/TLS certificate is a signed file that both enables encryption (via its public key) and proves you control a domain (via a CA’s signature).
  • You’ll handle a small set of files — a secret private key, the certificate, and the chain that links it to a trusted root. Serving the chain wrong is the classic silent failure.
  • Issuance follows a fixed flow: generate a key, submit a CSR, pass domain validation (HTTP or DNS), receive the signed certificate, install it. The ACME protocol made this free and automatic.
  • Certificates are short-lived on purpose. Automated renewal plus expiry monitoring is what keeps a site secure long-term — expired certificates cause far more outages than attacks do.
  • Finish the job with an HTTP→HTTPS redirect, optionally HSTS, and by making sure every domain name you use is covered.

Next, it’s worth following the request one step further out — how a domain actually gets pointed at the right environment so that the certificate, the DNS, and the server all line up on the same address your visitors type.

Tags:serverdeploymentsslhttpstls
728 × 90Ad Space AvailablePlace your ad here

Related Articles

See All Articles

You Might Also Like

SSL and encryption at rest — data protected in transit and on disk
Server / Server Security

SSL and Encryption at Rest: Protecting Data Both in Transit and on Disk

Encryption protects your data in two places: while it travels the network (in transit) and while it sits on disk (at rest). Learn the difference, why you need both, how TLS, full-disk encryption, and key management actually fit together, and the practical mistakes to avoid — explained from the.

Nov 9, 202613 min read
Securing ports and services — closing the doors on a server you don't use
Server / Server Security

Securing Ports and Services: Closing the Doors You Don't Use

Every open port on a server is a door someone could try to walk through. Learn what ports and services really are, why an exposed service is your biggest risk, and the simple discipline of closing everything you don't need — explained from the ground up.

Nov 8, 202611 min read
Principle of least privilege — granting only the minimum access each user and process needs
Server / Server Security

The Principle of Least Privilege: Give Everything Only the Access It Truly Needs

Least privilege is the quiet rule behind almost every solid security setup: every user, process, and key gets the minimum access required to do its job, and nothing more. Learn what it means, why it limits the blast radius of any breach, and how to apply it across users, services, files, and keys.

Nov 7, 202613 min read
Fail2ban and intrusion basics — watching logs and automatically banning repeated abusers
Server / Server Security

Fail2ban and Intrusion Basics: Automatically Banning the Bots Hammering Your Server

Attackers don't stop after one failed guess — they keep hammering, thousands of times a day. Learn how intrusion attempts actually look, what fail2ban does, how it watches your logs and bans abusers automatically, and how to set it up sensibly without locking yourself out — explained from zero.

Nov 6, 202613 min read
Keeping software updated — closing known security holes before attackers use them
Server / Server Security

Keeping Software Updated: The Boring Habit That Stops Most Server Breaches

Most servers don't get hacked through clever new attacks — they get hacked through old, known holes that a simple update would have closed. Learn why updates matter, what to update, how to do it safely without breaking things, and how to make it a habit instead of a panic.

Nov 5, 202610 min read
Firewall configuration — a default-deny rule set that opens only the ports you need
Server / Server Security

Firewall Configuration: Setting Up Default-Deny Rules Without Locking Yourself Out

Knowing what a firewall is and actually configuring one well are two different skills. Learn how to write a default-deny rule set, order rules correctly, allow your own access first, handle IPv6 and cloud security groups, and test before you commit — a practical, vendor-neutral guide from zero.

Nov 4, 202615 min read