![[The AI Show Episode 142]: ChatGPT’s New Image Generator, Studio Ghibli Craze and Backlash, Gemini 2.5, OpenAI Academy, 4o Updates, Vibe Marketing & xAI Acquires X](https://www.marketingaiinstitute.com/hubfs/ep%20142%20cover.png)
![[FREE EBOOKS] The Kubernetes Bible, The Ultimate Linux Shell Scripting Guide & Four More Best Selling Titles](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![From drop-out to software architect with Jason Lengstorf [Podcast #167]](https://cdn.hashnode.com/res/hashnode/image/upload/v1743796461357/f3d19cd7-e6f5-4d7c-8bfc-eb974bc8da68.png?#)
.png?#)
.jpg?#)
_Christophe_Coat_Alamy.jpg?#)
![Rapidus in Talks With Apple as It Accelerates Toward 2nm Chip Production [Report]](https://www.iclarified.com/images/news/96937/96937/96937-640.jpg)
What is a TLS Certificate? With an example
A TLS certificate (also called an SSL certificate) is a digital certificate that proves a website is secure and trustworthy. It enables HTTPS, which encrypts the data between a user's browser and the server. When you visit a website with HTTPS (like https://example.com), your browser checks the TLS certificate to make sure: It's valid It's issued by a trusted Certificate Authority (CA) It's not expired It matches the domain name Real Example Let's look at the TLS certificate for https://www.google.com Using CLI, you can get a certificate details: echo | openssl s_client -showcerts -servername google.com -connect google.com:443 2>/dev/null | openssl x509 -inform pem -noout -text You will get decoded certificate, which looks like this: Certificate: Data: Version: 3 (0x2) Serial Number: 9a:59:e3:69:20:54:81:cc:09:2f:9e:71:4d:cf:0b:42 Signature Algorithm: ecdsa-with-SHA256 Issuer: C=US, O=Google Trust Services, CN=WE2 Validity Not Before: Mar 20 11:18:50 2025 GMT Not After : Jun 12 11:18:49 2025 GMT Subject: CN=*.google.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:81:de:88:48:63:00:73:1b:60:b7:5f:7a:d1:93: a1:a8:50:ea:59:f0:eb:f8:3d:aa:41:7e:48:e3:1d: f1:16:57:c9:cf:41:c5:b0:c7:3e:4b:bc:00:c9:75: 25:91:b7:eb:e6:a3:03:73:cf:25:59:98:5f:76:d7: 3c:06:5e:9e:26 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 92:E6:2F:BA:C3:C2:DF:E6:3F:94:AE:58:48:6C:BB:B5:80:ED:AF:91 X509v3 Authority Key Identifier: 75:BE:C4:77:AE:89:F6:44:37:7D:CF:B1:68:1F:1D:1A:EB:DC:34:59 Authority Information Access: OCSP - URI:http://o.pki.goog/we2 CA Issuers - URI:http://i.pki.goog/we2.crt X509v3 Subject Alternative Name: DNS:*.google.com, DNS:*.appengine.google.com, DNS:*.bdn.dev, DNS:*.origin-test.bdn.dev, DNS:*.cloud.google.com, DNS:*.crowdsource.google.com, DNS:*.datacompute.google.com, DNS:*.google.ca, DNS:*.google.cl, DNS:*.google.co.in, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google.com.ar, DNS:*.google.com.au, DNS:*.google.com.br, DNS:*.google.com.co, DNS:*.google.com.mx, DNS:*.google.com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.google.es, DNS:*.google.fr, DNS:*.google.hu, DNS:*.google.it, DNS:*.google.nl, DNS:*.google.pl, DNS:*.google.pt, DNS:*.googleapis.cn, DNS:*.googlevideo.com, DNS:*.gstatic.cn, DNS:*.gstatic-cn.com, DNS:googlecnapps.cn, DNS:*.googlecnapps.cn, DNS:googleapps-cn.com, DNS:*.googleapps-cn.com, DNS:gkecnapps.cn, DNS:*.gkecnapps.cn, DNS:googledownloads.cn, DNS:*.googledownloads.cn, DNS:recaptcha.net.cn, DNS:*.recaptcha.net.cn, DNS:recaptcha-cn.net, DNS:*.recaptcha-cn.net, DNS:widevine.cn, DNS:*.widevine.cn, DNS:ampproject.org.cn, DNS:*.ampproject.org.cn, DNS:ampproject.net.cn, DNS:*.ampproject.net.cn, DNS:google-analytics-cn.com, DNS:*.google-analytics-cn.com, DNS:googleadservices-cn.com, DNS:*.googleadservices-cn.com, DNS:googlevads-cn.com, DNS:*.googlevads-cn.com, DNS:googleapis-cn.com, DNS:*.googleapis-cn.com, DNS:googleoptimize-cn.com, DNS:*.googleoptimize-cn.com, DNS:doubleclick-cn.net, DNS:*.doubleclick-cn.net, DNS:*.fls.doubleclick-cn.net, DNS:*.g.doubleclick-cn.net, DNS:doubleclick.cn, DNS:*.doubleclick.cn, DNS:*.fls.doubleclick.cn, DNS:*.g.doubleclick.cn, DNS:dartsearch-cn.net, DNS:*.dartsearch-cn.net, DNS:googletraveladservices-cn.com, DNS:*.googletraveladservices-cn.com, DNS:googletagservices-cn.com, DNS:*.googletagservices-cn.com, DNS:googletagmanager-cn.com, DNS:*.googletagmanager-cn.com, DNS:googlesyndication-cn.com, DNS:*.googlesyndication-cn.com, DNS:*.safeframe.googlesyndication-cn.com, DNS:app-measurement-cn.com, DNS:*.app-measurement-cn.com, DNS:gvt1-cn.com, DNS:*.gvt1-cn.com, DNS:gvt2-cn.com, DNS:*.gvt2-cn.com, DNS:2mdn-cn.net, DNS:*.2mdn-cn.net, DNS:googleflights-cn.net, DNS:*.googleflights-cn.net, DNS:admob-cn.com, DNS:*.admob-cn.com, DNS:googlesandbox-cn.com, DNS:*.googlesandbox-cn.com, DNS:*.safenup.googlesandbox-cn.com, DNS:*.gstatic.com, DNS:*.metric.gstatic.com, DNS:*.gvt1.com, DNS:*.gcpcdn.gvt1.com, DNS:*.gvt2.com, DNS:*.gcp.gvt2.com, DNS:*.url.google.com, DNS:*.youtube-nocookie.com, DNS:*.ytimg.com, DNS:android.com, DNS:*.android.com, DNS:*.flash.android.com, DNS:g.cn, DNS:*.g.cn, DNS:g.co, DNS:*.g.co, DNS:goo.gl, DNS:www.goo.gl, DNS:google-analytics.com, DNS:*.google-analytics.com, DNS:google.com, DNS:googlecommerce.com, DNS:*.googl
A TLS certificate (also called an SSL certificate) is a digital certificate that proves a website is secure and trustworthy. It enables HTTPS, which encrypts the data between a user's browser and the server.
When you visit a website with HTTPS (like https://example.com), your browser checks the TLS certificate to make sure:
- It's valid
- It's issued by a trusted Certificate Authority (CA)
- It's not expired
- It matches the domain name
Real Example
Let's look at the TLS certificate for https://www.google.com
Using CLI, you can get a certificate details:
echo | openssl s_client -showcerts -servername google.com -connect google.com:443 2>/dev/null | openssl x509 -inform pem -noout -text
You will get decoded certificate, which looks like this:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
9a:59:e3:69:20:54:81:cc:09:2f:9e:71:4d:cf:0b:42
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, O=Google Trust Services, CN=WE2
Validity
Not Before: Mar 20 11:18:50 2025 GMT
Not After : Jun 12 11:18:49 2025 GMT
Subject: CN=*.google.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:81:de:88:48:63:00:73:1b:60:b7:5f:7a:d1:93:
a1:a8:50:ea:59:f0:eb:f8:3d:aa:41:7e:48:e3:1d:
f1:16:57:c9:cf:41:c5:b0:c7:3e:4b:bc:00:c9:75:
25:91:b7:eb:e6:a3:03:73:cf:25:59:98:5f:76:d7:
3c:06:5e:9e:26
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
92:E6:2F:BA:C3:C2:DF:E6:3F:94:AE:58:48:6C:BB:B5:80:ED:AF:91
X509v3 Authority Key Identifier:
75:BE:C4:77:AE:89:F6:44:37:7D:CF:B1:68:1F:1D:1A:EB:DC:34:59
Authority Information Access:
OCSP - URI:http://o.pki.goog/we2
CA Issuers - URI:http://i.pki.goog/we2.crt
X509v3 Subject Alternative Name:
DNS:*.google.com, DNS:*.appengine.google.com, DNS:*.bdn.dev, DNS:*.origin-test.bdn.dev, DNS:*.cloud.google.com, DNS:*.crowdsource.google.com, DNS:*.datacompute.google.com, DNS:*.google.ca, DNS:*.google.cl, DNS:*.google.co.in, DNS:*.google.co.jp, DNS:*.google.co.uk, DNS:*.google.com.ar, DNS:*.google.com.au, DNS:*.google.com.br, DNS:*.google.com.co, DNS:*.google.com.mx, DNS:*.google.com.tr, DNS:*.google.com.vn, DNS:*.google.de, DNS:*.google.es, DNS:*.google.fr, DNS:*.google.hu, DNS:*.google.it, DNS:*.google.nl, DNS:*.google.pl, DNS:*.google.pt, DNS:*.googleapis.cn, DNS:*.googlevideo.com, DNS:*.gstatic.cn, DNS:*.gstatic-cn.com, DNS:googlecnapps.cn, DNS:*.googlecnapps.cn, DNS:googleapps-cn.com, DNS:*.googleapps-cn.com, DNS:gkecnapps.cn, DNS:*.gkecnapps.cn, DNS:googledownloads.cn, DNS:*.googledownloads.cn, DNS:recaptcha.net.cn, DNS:*.recaptcha.net.cn, DNS:recaptcha-cn.net, DNS:*.recaptcha-cn.net, DNS:widevine.cn, DNS:*.widevine.cn, DNS:ampproject.org.cn, DNS:*.ampproject.org.cn, DNS:ampproject.net.cn, DNS:*.ampproject.net.cn, DNS:google-analytics-cn.com, DNS:*.google-analytics-cn.com, DNS:googleadservices-cn.com, DNS:*.googleadservices-cn.com, DNS:googlevads-cn.com, DNS:*.googlevads-cn.com, DNS:googleapis-cn.com, DNS:*.googleapis-cn.com, DNS:googleoptimize-cn.com, DNS:*.googleoptimize-cn.com, DNS:doubleclick-cn.net, DNS:*.doubleclick-cn.net, DNS:*.fls.doubleclick-cn.net, DNS:*.g.doubleclick-cn.net, DNS:doubleclick.cn, DNS:*.doubleclick.cn, DNS:*.fls.doubleclick.cn, DNS:*.g.doubleclick.cn, DNS:dartsearch-cn.net, DNS:*.dartsearch-cn.net, DNS:googletraveladservices-cn.com, DNS:*.googletraveladservices-cn.com, DNS:googletagservices-cn.com, DNS:*.googletagservices-cn.com, DNS:googletagmanager-cn.com, DNS:*.googletagmanager-cn.com, DNS:googlesyndication-cn.com, DNS:*.googlesyndication-cn.com, DNS:*.safeframe.googlesyndication-cn.com, DNS:app-measurement-cn.com, DNS:*.app-measurement-cn.com, DNS:gvt1-cn.com, DNS:*.gvt1-cn.com, DNS:gvt2-cn.com, DNS:*.gvt2-cn.com, DNS:2mdn-cn.net, DNS:*.2mdn-cn.net, DNS:googleflights-cn.net, DNS:*.googleflights-cn.net, DNS:admob-cn.com, DNS:*.admob-cn.com, DNS:googlesandbox-cn.com, DNS:*.googlesandbox-cn.com, DNS:*.safenup.googlesandbox-cn.com, DNS:*.gstatic.com, DNS:*.metric.gstatic.com, DNS:*.gvt1.com, DNS:*.gcpcdn.gvt1.com, DNS:*.gvt2.com, DNS:*.gcp.gvt2.com, DNS:*.url.google.com, DNS:*.youtube-nocookie.com, DNS:*.ytimg.com, DNS:android.com, DNS:*.android.com, DNS:*.flash.android.com, DNS:g.cn, DNS:*.g.cn, DNS:g.co, DNS:*.g.co, DNS:goo.gl, DNS:www.goo.gl, DNS:google-analytics.com, DNS:*.google-analytics.com, DNS:google.com, DNS:googlecommerce.com, DNS:*.googlecommerce.com, DNS:ggpht.cn, DNS:*.ggpht.cn, DNS:urchin.com, DNS:*.urchin.com, DNS:youtu.be, DNS:youtube.com, DNS:*.youtube.com, DNS:music.youtube.com, DNS:*.music.youtube.com, DNS:youtubeeducation.com, DNS:*.youtubeeducation.com, DNS:youtubekids.com, DNS:*.youtubekids.com, DNS:yt.be, DNS:*.yt.be, DNS:android.clients.google.com, DNS:*.android.google.cn, DNS:*.chrome.google.cn, DNS:*.developers.google.cn, DNS:*.aistudio.google.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://c.pki.goog/we2/xuzt3PU9F_w.crl
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : CF:11:56:EE:D5:2E:7C:AF:F3:87:5B:D9:69:2E:9B:E9:
1A:71:67:4A:B0:17:EC:AC:01:D2:5B:77:CE:CC:3B:08
Timestamp : Mar 20 12:18:56.618 2025 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:3A:82:2A:9B:01:F1:18:46:DA:4F:C8:74:
83:8E:07:93:86:AD:FF:DE:E8:49:E4:C2:68:D4:C0:85:
76:ED:9A:D3:02:20:0B:6A:90:A0:FE:FB:C4:DA:CF:61:
C0:EC:62:EE:76:73:EF:C0:96:1D:63:F9:B5:3C:A0:3E:
35:0A:BC:C1:B0:17
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : E6:D2:31:63:40:77:8C:C1:10:41:06:D7:71:B9:CE:C1:
D2:40:F6:96:84:86:FB:BA:87:32:1D:FD:1E:37:8E:50
Timestamp : Mar 20 12:18:57.585 2025 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:DA:4A:51:5F:E0:D9:3F:7B:BA:DE:8F:
F7:1D:67:79:83:13:68:D8:40:F6:80:6A:2D:C5:2C:AE:
A1:26:40:BA:C6:02:20:61:24:F1:2F:0D:66:23:88:4A:
13:CB:AA:F9:84:77:72:7F:CF:23:7D:7A:81:52:59:7A:
83:7D:E5:C5:25:C5:26
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:45:02:20:19:91:27:bb:9e:cd:0b:d5:18:c4:67:2e:70:43:
59:b0:79:39:4b:1e:ec:ad:03:81:10:15:b9:bd:78:af:c8:4f:
02:21:00:cb:c0:0a:81:91:00:73:d6:31:54:d3:7f:28:eb:ec:
60:e6:7f:7d:1d:9e:b4:5f:f0:98:7b:25:ca:de:1f:2c:5d
Main details of Google's TLS certificate
Common Name (CN): *.google.com
→ This is a wildcard certificate that covers all Google subdomains (like mail.google.com, docs.google.com, etc.).
Issued By: Google Trust Services, CN=WE2
→ The certificate was issued by Google’s own trusted Certificate Authority.
Validity Period:
Start: March 20, 2025
End: June 12, 2025
→ The certificate is valid for about 3 months.
Signature Algorithm: ECDSA with SHA-256
→ A modern, secure digital signature algorithm.
Public Key Type: Elliptic Curve (P-256) with a 256-bit key
→ Efficient and secure cryptography.
Key Usage: Digital Signature
Extended Key Usage: TLS Web Server Authentication
→ The certificate is used for authenticating secure web servers.
Subject Alternative Names (SAN):
→ Covers hundreds of domains and subdomains, including:
*.google.com, *.youtube.com, *.gstatic.com, *.android.com, google.com, youtu.be, etc.
(Also includes many .cn domains for Chinese services.)
Certificate Policies: Standard public certificate policy OID: 2.23.140.1.2.1
