SSL Authentication Activation Guide
In this guide, you'll learn how SSL authentication works, why it's critical, and how to enable it in both servers and application code. You will also see chain validation, CA trust, browsers' checking process, CLI tools, and solutions to common errors.
What Will You Learn in This Guide?
- Basic logic of SSL verification
- Why certificate chain is important
- How browsers perform verification
- Manual testing with OpenSSL and curl
- Validation in Python and Node.js
- Self-signed certificate security
- Best SSL security practices
- Common errors and solutions
1. What is SSL Authentication?
SSL authentication is the security process that proves that the server the client is connecting to is actually the correct server. In this process, the client certificate:
- Valid
- Signed by a trusted CA
- Contain the correct domain name
- Has full chain
- Not expired
- Not canceled
checks that it is.
If it fails, the connection is dropped and an error occurs:
SSL: CERTIFICATE_VERIFY_FAILED
2. Why Is SSL Verification Critical?
- Authentication: The server is not spoofed.
- MITM Protection: The intruder is blocked.
- Chain of Trust: The certificate comes from a trusted CA.
- Data Integrity: Data is transmitted without modification.
Encryption protects the data, while authentication verifies who it is sent to.
The two together provide complete security.
SSL Verification Steps
1. CA (Certificate Authority) Verification
The browser checks whether the CA that signed the certificate is trustworthy.
Example trusted CAs:
-Let's Encrypt -DigiCert -GlobalSign
2. Domain Matching
The CN or SAN fields on the certificate must be compatible with the site.
For api.ornek.com the certificate must contain api.ornek.com.
3. Certificate Chain Verification
Verification follows this order:
Leaf Certificate → Intermediate CA → Root CA
If the intermediate CA is missing, the client cannot complete the chain.
Example chain table:
| Layer | Purpose | Example |
|---|---|---|
| Root CA | Foundation of trust | DigiCert Root |
| Intermediate CA | Leaf signs certificates | Let's Encrypt R3 |
| Leaf (Server) | Certificate installed on the server | example.com |
4. Duration and Cancellation Control
The certificate must have valid dates.
Cancellation status can be checked with OCSP and CRL.
How Does the Certificate Chain Work?
If the chain is not sent in full, many devices will interpret the certificate as invalid.
That's why fullchain.pem is used in the Nginx/Apache configuration.
The client verifies the chain as follows:
- Leaf receives the certificate
- Sees the intermediate CA certificate
- Creates secure chain to root CA
- If the chain is complete, verification is successful
2. How Do Browsers Perform SSL Verification?
Browser's HTTPS stream:
- Provides DNS resolution.
- Establishes a TCP connection to the server.
- TLS handshake starts.
- The certificate chain is obtained.
- CA signature is checked.
- Domain name matching is done.
- Cancellation control can be done with OCSP/CRL.
- If all steps pass, the page loads.
In case of error:
- Chrome:
ERR_CERT_COMMON_NAME_INVALID - Firefox:
SEC_ERROR_UNKNOWN_ISSUER
SSL Authentication with CLI
1. Chain Control with OpenSSL
openssl s_client -connect ornek.com:443 -servername ornek.com -showcerts
This command shows the certificate chain from the server.
1.2 HTTPS Authentication with curl
curl -v https://ornek.com
This command shows the TLS handshake in detail.
1.3 Local Certificate Verification
openssl verify -CAfile zincir.pem sunucu.pem
This command verifies the certificate against the chain file.
2. SSL Authentication vs SSL Encryption
| Feature | Verification | Encryption |
|---|---|---|
| Purpose | Verifies server | Hides data |
| Stage | During handshake | After the connection is established |
| Protection | MITM attacks | Data listening |
| Requirement | CA chain | Powerful TLS protocol |
2.1 SSL Authentication in Codes
2.1.1 Python – Requests
import requests
resp = requests.get("https://api.ornek.com", timeout=10)
print(resp.status_code)
The Requests library does SSL authentication by default.
Node.js – Axios
const axios = require('axios');
const agent = new (require('https').Agent)({ rejectUnauthorized: true });
function makeSecureRequest() {
axios.get('https://api.ornek.com', { httpsAgent: agent })
.then(res => console.log("Başarılı:", res.status))
.catch(err => console.error("Hata:", err.message));
}
makeSecureRequest();
rejectUnauthorized:true enforces certificate verification.
2. Self-Signed Certificates
-
Should only be used on internal networks.
-
CA certificate is required for production.
-
Clients must be manually added as a trusted CA.
2.2 Common SSL Authentication Errors and Solution
| Error | Reason | Solution |
|---|---|---|
| CERTIFICATE_VERIFY_FAILED | Missing search CA | use fullchain |
| curl (60) | Expired certificate | Refresh |
| Hostname mismatch | CN/SAN incorrect | New certificate |
| Unknown issuer | Untrusted CA | change CA |
| OCSP error | Cancellation server down | OCSP stapling |
2.3 SSL Security Best Practices
-
Use trusted CA
-
Auto-renew
-
Require TLS 1.2+
-
Install Fullchain.pem
-
Enable HSTS header
-
Run regular SSL tests
-
Keep the server updated
2.4 SSL: How to Fix CERTIFICATE_VERIFY_FAILED Error?
This error occurs when the client cannot verify the server's SSL certificate.
The reasons and solutions are below.
3. Certificate Duration Check
openssl x509 -in sunucu.crt -noout -dates
If the certificate is out of date, renewal must be made.
- Certificate Not Trusted
openssl x509 -in sunucu.crt -noout -issuer
If the CA is not trustworthy, get a new certificate from Let's Encrypt or a commercial CA.
- Domain Name Is Not Correct
openssl x509 -in sunucu.crt -noout -subject
CN or SAN fields must match the domain.
- Intermediate CA Deficiency
openssl s_client -connect site.com:443 -servername site.com
If there is no intermediate CA in the output, install fullchain.pem.
- Certificate Revoked
openssl ocsp -issuer ca.crt -cert sunucu.crt -url http://ocsp.ornek.com
If it has been cancelled, a new certificate must be obtained.
| Title | Verification | Encryption |
|---|---|---|
| Purpose | Authentication | Data hiding |
| Protection | MITM attacks | Data theft |
| Necessity | CA chain | Strong encryption |
| Schedule | During handshake | After the connection is established |
These two technologies work together to provide complete security.
3.2 Online SSL Testing Tools
SSL Labs Provides complete SSL testing: https://www.ssllabs.com/ssltest/
DigiCert SSL Checker Detects installation errors: https://www.digicert.com/help/
These tools:
Chain errors
Weak cipher suites
Protocol incompatibilities
It shows many problems such as HSTS deficiencies.
3.1 Enforce SSL Authentication in Application Codes
Python — validation on (default)
import requests
resp = requests.get("https://api.ornek.com", timeout=10)
print(resp.status_code)
verify=True is automatically active. If the certificate is incorrect, the request will fail.
3.1.1 Node.js — SSL authentication required
const axios = require('axios');
const https = require('https');
const agent = new https.Agent({ rejectUnauthorized: true });
axios.get("https://api.ornek.com", { httpsAgent: agent })
.then(res => console.log("Başarılı:", res.status))
.catch(err => console.error("Hata:", err.message));
rejectUnauthorized ensures certificate verification.
3.1.2 Using Self-Signed Certificates Securely
Self-signed certificates only:
In test environments
On internal networks
On development machines
should be used.
For safe use:
Add the certificate to the clients CA store.
Use TLS 1.2+.
Renew the certificate regularly.
Notify users.
A CA signed certificate must be used in the production environment.
4. Best SSL Security Practices
1. Use certificate from CA Choose Let's Encrypt or commercial CA.
2. Automatically renew certificates Use mechanisms such as Certbot renew.
3. Enable TLS 1.2 or 1.3 Disable older versions: TLS 1.0, 1.1, SSLv3.
4. Install fullchain.pem Lack of intermediate CA is the most common error.
5. Use HSTS Forces the server to always use HTTPS.
6. Enable OCSP Stapling Increased performance and reliability.
7. Perform regular SSL tests Use SSL Labs, DigiCert tools.
| Error Code | Reason | Solution |
|---|---|---|
| CERTIFICATE_VERIFY_FAILED | Chain missing | install fullchain |
| curl: (60) | Self-signed / expired | New certificate |
| SSLHandshakeException | The domain name is incorrect | Edit CN/SAN |
| Unknown issuer | CA unreliable | Get reliable CA |
| Peer verification failed | Trust store old | OS update |
| Mixed content | HTTP resources | Replace with HTTPS |
Advanced FAQ
1. Why does SSL verification fail?
Most common cause: missing intermediate CA chain.
2. Is it safe to use curl -k or verify=False?
No. It opens the door to MITM attacks.
3. Can a self-signed certificate be used outside the world?
No. Only in testing and internal systems.
4. What happens if the chain is missing?
The browser cannot reach the root CA and returns an error.
5. Will the service be interrupted when renewing the certificate?
With the correct configuration, there will be no downtime.
6. Can SSL verification be disabled? Yes, but it is very dangerous. It opens the door for MITM attacks.
7. How can I view the certificate chain?
openssl s_client -connect site.com:443 -showcerts
8. Why does verification work on some devices and not on others? On older devices, the CA repository is outdated.
9. What is HSTS? Forces the browser to use forced HTTPS instead of HTTP.
10. Is Let's Encrypt secure? Yes. It is the most used CA in the world.
Result
SSL authentication is the fundamental building block of secure communication. In this guide, you learned the entire process, from CA control to chain verification, from application codes to CLI commands. Secure connection → Strong user experience. Well-configured SSL is the foundation of every project.
Build your certificate chain correctly, keep your authentication active, and strengthen your TLS configuration with modern protocols. You can quickly apply these configurations on GenixNode servers for a secure infrastructure.