PKI and TLS SSL Cheat Sheet

Updated 2026-04-30

Next Topic: Ransomware Defense and Response Cheat Sheet

Public Key Infrastructure (PKI) and Transport Layer Security (TLS/SSL) form the foundation of secure digital communications, enabling encrypted connections and identity verification across the internet. PKI provides the organizational framework for managing digital certificates and cryptographic keys, while TLS/SSL protocols use these certificates to establish secure, authenticated channels between clients and servers. Understanding certificate types, validation mechanisms, and the TLS handshake process is essential for implementing robust security architectures, from basic HTTPS websites to complex zero-trust environments requiring mutual authentication.

What This Cheat Sheet Covers

This topic spans 20 focused tables and 174 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.

Table 1: Certificate Types and Validation LevelsTable 2: Certificate Authorities and Trust ChainsTable 3: Certificate Lifecycle ManagementTable 4: TLS Handshake ProcessTable 5: Cipher Suites and Cryptographic ComponentsTable 6: TLS Protocol VersionsTable 7: Server Name Indication (SNI) and ExtensionsTable 8: Mutual TLS (mTLS) and Client AuthenticationTable 9: Let's Encrypt and Automated Certificate ManagementTable 10: Certificate Formats and EncodingTable 11: Certificate Fields and X.509 StructureTable 12: TLS Handshake Optimization and PerformanceTable 13: TLS Security Best Practices and HardeningTable 14: Common TLS Vulnerabilities and AttacksTable 15: Certificate Transparency and MonitoringTable 16: PKI and Trust Model ConceptsTable 17: Key Management and HSMTable 18: Advanced TLS Features and ExtensionsTable 19: TLS for Specific Protocols and Use CasesTable 20: Troubleshooting and Debugging Tools

Table 1: Certificate Types and Validation Levels

Not all certificates are created equal — they differ both in how much the issuer verifies about you and in how many names a single certificate covers. The first three rows trade speed for assurance (a free DV cert issued in minutes versus an EV cert that demands legal and physical checks), while the rest are about coverage: when you reach for a wildcard, a multi-domain SAN cert, or a plain single-domain certificate depends entirely on how your hostnames are laid out.

Type	Example	Description
Domain Validated (DV)	Let's Encrypt free certificate	• Validates only domain ownership via automated challenge • no organization identity verification • issued in minutes • suitable for blogs and basic HTTPS
Organization Validated (OV)	Certificate showing company name	• Validates domain ownership and organization legal identity • CA verifies business registration • requires 1-3 days • shows organization name in certificate details
Extended Validation (EV)	Certificate showing green address bar (legacy)	• Highest validation level with rigorous identity verification • requires legal, physical, and operational checks • historically displayed green bar in browsers (deprecated in modern browsers) • now shows organization name in certificate viewer
Wildcard certificate	`*.example.com` covers `api.example.com`, `shop.example.com`	• Single certificate covering all subdomains at one level • uses asterisk notation • does not cover base domain unless listed separately • simplifies multi-subdomain deployments

Table 1: Certificate Types and Validation Levels

Type	Example	Description
Domain Validated (DV)	Let's Encrypt free certificate	• Validates only domain ownership via automated challenge • no organization identity verification • issued in minutes • suitable for blogs and basic HTTPS
Organization Validated (OV)	Certificate showing company name	• Validates domain ownership and organization legal identity • CA verifies business registration • requires 1-3 days • shows organization name in certificate details
Extended Validation (EV)	Certificate showing green address bar (legacy)	• Highest validation level with rigorous identity verification • requires legal, physical, and operational checks • historically displayed green bar in browsers (deprecated in modern browsers) • now shows organization name in certificate viewer
Wildcard certificate	`*.example.com` covers `api.example.com`, `shop.example.com`	• Single certificate covering all subdomains at one level • uses asterisk notation • does not cover base domain unless listed separately • simplifies multi-subdomain deployments

PKI and TLS/SSL Cheat Sheet

Table 1: Certificate Types and Validation Levels

PKI and TLS/SSL Cheat Sheet

Table 1: Certificate Types and Validation Levels