Plain-English explainer · 2026
SSL vs TLS certificate: what the difference actually is
SSL is the old protocol, TLS is the current one, and the certificate is the same X.509 file either way. Here is what the names mean, why everyone still says "SSL", what TLS 1.3 changed, and how to check what your site is actually serving.
Independent guide. No vendor affiliation.
The one-line answer
SSL and TLS are protocols. The certificate is the same X.509 file used by both.
When a CA "issues an SSL certificate", they are issuing an X.509 certificate that your server presents during the TLS handshake. There is no separate "TLS certificate" product. The names refer to which version of the protocol negotiates the connection — and in 2026, every modern browser uses TLS 1.2 or TLS 1.3, never SSL.
A 30-second history
- • SSL 2.0 (1995) — Netscape. Broken almost immediately. Disabled everywhere.
- • SSL 3.0 (1996) — Netscape again. Killed by the POODLE attack in 2014. Disabled everywhere.
- • TLS 1.0 (1999) — IETF rebrand of SSL 3.1. Deprecated by browsers in 2020.
- • TLS 1.1 (2006) — Minor improvements. Also deprecated in 2020.
- • TLS 1.2 (2008) — Still widely used. SHA-256, AEAD ciphers, modern cipher suites.
- • TLS 1.3 (2018) — The current standard. 1-RTT handshake, forward secrecy by default, dramatically slimmer cipher menu.
The protocol was renamed from SSL to TLS when the IETF took it over from Netscape in 1999. Cisco famously didn't want "SSL 3.1" to look like a Microsoft product, so "TLS 1.0" got the new name. The certificates kept being called SSL certificates because that is what customers had been buying for years.
"SSL certificate" vs "TLS certificate" side by side
The marketing terms differ. The file on disk does not.
| "SSL certificate" | "TLS certificate" | |
|---|---|---|
| File format | X.509 | X.509 (same) |
| Used by protocol | TLS 1.2 / 1.3 in 2026 | TLS 1.2 / 1.3 in 2026 |
| Issued by | CAs like Let's Encrypt, Sectigo, DigiCert, GoDaddy | Same CAs, same product |
| Browser padlock | Yes | Yes (same padlock) |
| Encryption | Whatever the TLS handshake negotiates | Same |
| Expiry behaviour | X.509 notAfter date | X.509 notAfter date (same) |
| Marketing usage | Common in vendor branding | Common in technical RFCs and documentation |
If a vendor charges extra for a "TLS certificate" over an "SSL certificate", they are selling you a label, not a different product.
What TLS 1.3 actually changed
TLS 1.3 is worth understanding because it changed both the security model and the performance profile.
- • 1-RTT handshake. Older TLS needed two round trips before sending data. TLS 1.3 needs one. There is also a 0-RTT mode for resumed sessions, with caveats around replay attacks.
- • Forward secrecy by default. All TLS 1.3 cipher suites use ephemeral Diffie-Hellman. Past traffic cannot be decrypted even if the server's private key leaks later.
- • Slim cipher menu. TLS 1.3 ships with five cipher suites, all AEAD. The TLS 1.2 menu had hundreds, many with footguns (RC4, CBC, RSA key exchange).
- • Encrypted handshake. Most of the handshake itself is encrypted, including the certificate, reducing metadata leak.
- • Same certificate. Your existing X.509 cert works on TLS 1.3 with no change.
In 2026, the vast majority of TLS connections from modern browsers negotiate TLS 1.3. Anything still capped at TLS 1.2 usually means an old load balancer config or a fronting proxy that has not been updated.
How to check which TLS version your site is serving
Three quick options:
1. openssl from the command line
# test TLS 1.3 directly
openssl s_client -tls1_3 -connect example.com:443 -servername example.com </dev/null \
| grep -E "Protocol|Cipher"
# fall back to test TLS 1.2
openssl s_client -tls1_2 -connect example.com:443 -servername example.com </dev/null \
| grep -E "Protocol|Cipher"2. SSL Labs Server Test
ssllabs.com/ssltest gives you a full grade including supported protocol versions, cipher suites, key strength, OCSP stapling and known vulnerability checks. Slow but thorough.
3. Telegram one-liner
Send /check example.com to @CertimonBot. You get issuer, alt names, expiry date and days remaining in one message. For a guided walkthrough see check SSL certificate expiration date.
Why this matters for buying and monitoring
Two practical takeaways:
- • Buying. Don't let a vendor upsell a "TLS certificate" as a separate product over an "SSL certificate". It is the same X.509 file. The interesting axes when buying are validation tier (DV vs OV vs EV), wildcard vs single-name, and lifetime — not the SSL-vs-TLS label.
- • Monitoring. Whether you call it SSL or TLS, the certificate still expires on a fixed date. The failure mode is identical: NET::ERR_CERT_DATE_INVALID, broken APIs, dropped trust. SSL certificate expiry is the same problem whether you negotiated TLS 1.2 or TLS 1.3.
For the buying side, see do you actually need to buy an SSL certificate in 2026? and free SSL certificate providers compared. For the renewal side, see SSL certificate renewal.
Monitor any SSL or TLS certificate in 30 seconds
Certimon is a free SSL certificate monitoring service. It pulls the X.509 certificate from any public HTTPS host and pings you on Telegram, Microsoft Teams or PagerDuty before it expires. Same tool covers TLS 1.2 and TLS 1.3, paid or free, any CA.
- 1. Open @CertimonBot on Telegram.
- 2. Send
/remind example.com 30 - 3. You get a Telegram message 30 days before the certificate expires.
FAQ
What is the difference between an SSL certificate and a TLS certificate?
None. They are the same X.509 certificate. SSL and TLS are protocol names; the certificate is what the server presents during the handshake regardless of which version is negotiated.
Should I buy an "SSL certificate" or a "TLS certificate"?
Whichever a vendor offers, you are buying the same thing. "SSL certificate" is the more common marketing term. "TLS certificate" appears more in technical documentation. Same X.509 file, same use.
Is TLS more secure than SSL?
Yes. SSL 2.0 and 3.0 are broken and disabled. TLS 1.0 and 1.1 were deprecated in 2020. TLS 1.2 is fine; TLS 1.3 is faster, has forward secrecy by default, and removes a lot of footgun cipher suites.
How do I check which TLS version my site uses?
Run openssl s_client -tls1_3 -connect example.com:443 or use SSL Labs' Server Test. For a quick certificate expiry check, send /check example.com to @CertimonBot.
Do TLS certificates expire the same way SSL certificates do?
Yes — they are the same certificate. The expiry date lives in the X.509 notAfter field. By 2029 maximum lifetimes will be 47 days, so monitoring matters more than ever.
Why do people still say "SSL" if everything uses TLS?
Branding inertia. CAs sold "SSL certificates" through the late 1990s and the name stuck even after the protocol was renamed to TLS in 1999. Most CAs, hosts and CDNs still market the product as SSL.
Same certificate. Same expiry. Same monitoring.
Whether you call it SSL or TLS, the certificate still expires on a fixed date. Certimon sends free Telegram, Microsoft Teams and PagerDuty alerts before it does. No account, no agents, no credit card.
Start free SSL/TLS monitoring on TelegramPrefer a dashboard? Sign in to Certimon.