What Is an SSL Certificate? Digital Identity for Servers
An SSL certificate is a signed digital document that proves a server owns a hostname and provides the public key that lets clients establish an encrypted HTTPS connection.
Despite the name, modern "SSL certificates" are used by TLS. They bind a hostname to a cryptographic key and are signed by a certificate authority that clients already trust. When a deploy serves the wrong certificate or an expired one, browsers and pipelines refuse the connection, so certificates are a recurring operational concern.
What is inside a certificate
A certificate contains the hostname it covers, a public key, an issuer, and validity dates, all signed by a certificate authority. The signature is what lets clients trust it without contacting the authority directly.
The chain of trust
Browsers and runners ship with a list of trusted root authorities. A server certificate chains up through intermediates to one of those roots. If any link is missing, validation fails even when the certificate itself is fine.
Validity and expiry
- Certificates have an expiry date and must be renewed.
- An expired certificate breaks every client connection.
- Automated renewal, such as ACME, prevents surprise outages.
Certificates in deployments
Pipelines often provision certificates for new hostnames or rotate them on a schedule. A load balancer or CDN typically holds the certificate and terminates TLS, so the deploy must attach the right one to the right hostname.
How certificate problems surface in CI
A job calling an internal service with a self-signed or custom-CA certificate fails with "certificate verify failed" unless the runner trusts that authority. Clock skew on a runner can also make a valid certificate appear expired.
Not a transient failure
Certificate errors are deterministic: they fail the same way every run until the certificate, chain, or trust store is fixed. They are exactly the class of failure that retrying cannot solve, so Latchkey surfaces them rather than masking them with retries.
Key takeaways
- An SSL/TLS certificate binds a hostname to a public key and is signed by a trusted authority.
- Validation needs the full chain plus an unexpired certificate matching the hostname.
- Certificate errors are deterministic and must be fixed, not retried.