TLS/SSL Certificate Management for Indian Businesses

TLS/SSL certificates are the backbone of secure communication on the internet — they encrypt data in transit, authenticate your server's identity, and guarantee message integrity. For Indian businesses, a misconfigured or expired certificate does not just break the padlock icon; it triggers browser warnings that destroy conversion rates, exposes customer data to interception, and can constitute a breach of the DPDP Act 2023. This guide explains what TLS actually does, the certificate types you need to know, and the operational controls that prevent outages and failed audits.

What TLS Actually Does — Encryption, Authentication, Integrity

TLS (Transport Layer Security) is the protocol; SSL is its deprecated predecessor, but the term persists colloquially. Three security properties are established during the handshake:

Encryption — Data exchanged between browser and server is encrypted using symmetric session keys. An attacker sniffing the wire sees ciphertext, not plaintext credentials or payment data.

Authentication — The server presents a digital certificate signed by a trusted Certificate Authority (CA). The browser verifies the chain up to a root CA in its trust store, confirming the server is who it claims to be.

Integrity — Every TLS record includes a Message Authentication Code (MAC). Tampering with a single byte causes the MAC check to fail and the connection to close.

Without TLS, any attacker on the same network — hotel Wi-Fi, corporate proxy, ISP — can read and modify traffic in real time.

The TLS Handshake in Plain Terms

graph TD
    A[Client Hello
Supported TLS versions + ciphers] --> B[Server Hello
Chosen cipher + certificate]
    B --> C[Client validates certificate chain]
    C --> D{Chain trusted and cert valid?}
    D -->|Yes| E[Key exchange
Session keys derived]
    E --> F[Encrypted channel established
HTTPS active]
    D -->|Expired cert| G[Browser warning
NET ERR CERT DATE INVALID]
    D -->|Untrusted CA| H[Browser blocks connection
NET ERR CERT AUTHORITY INVALID]

    style A fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style B fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style C fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style D fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style E fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style F fill:#1e3d2f,stroke:#10B981,color:#e2e8f0
    style G fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style H fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0

In TLS 1.3 (the current standard), this handshake completes in one round trip, reducing latency compared to TLS 1.2. NIST SP 800-52 Rev. 2 mandates TLS 1.2 as the floor for US federal systems and recommends TLS 1.3 — the same guidance is widely adopted as a baseline by security-conscious organisations globally.

Certificate Types — Which One Does Your Business Need

Not all certificates are equal. The type you choose affects validation depth, browser trust indicators, and what domains are covered.

Certificate Type	Validation Level	What Gets Verified	Best For
DV (Domain Validated)	Low	Domain ownership only	Internal tools, blogs, dev environments
OV (Organisation Validated)	Medium	Domain + legal business identity	Customer-facing web apps, SaaS portals
EV (Extended Validation)	High	Rigorous legal + physical entity check	Payment gateways, banking, high-trust portals
Wildcard	DV or OV	One domain + all subdomains	`*.bachao.ai` — covers app, api, admin
SAN / Multi-domain	DV, OV, or EV	Multiple distinct domains in one cert	Companies running several products under one cert

ℹ️

INFO

EV certificates no longer show the green company name bar in modern browsers (Chrome removed it in 2019). The OV/EV distinction now matters more for internal security posture and compliance attestation than for visible UI cues.

Know your vulnerabilities before attackers do

Run a free VAPT scan — takes 5 minutes, no signup required.

Book Your Free Scan

The Certificate Authority Trust Model

Every browser and OS ships with a list of trusted root Certificate Authorities — around 150 globally. When your server presents a certificate, the browser walks the chain: Leaf cert → Intermediate CA → Root CA. If every signature in that chain is valid and the root is in the trust store, the connection proceeds.

The CA/Browser Forum (CABForum) governs the rules CAs must follow — certificate lifetimes, validation procedures, revocation requirements. Their Baseline Requirements are publicly available and are the reason your cert issuer cannot simply claim to verify your identity without actually doing so.

Chain of trust failures are a common misconfiguration: you install your leaf certificate but forget to include the intermediate CA certificate. The browser cannot complete the chain and throws an error — even though your cert itself is perfectly valid.

⚠️

WARNING

Always install the full certificate chain — leaf + all intermediates. Omitting intermediates is the single most common SSL installation error and causes intermittent failures that are hard to reproduce locally because the browser may have cached the intermediate from a previous session.

Why Expired and Misconfigured Certs Cause Real Damage

An expired certificate is not a minor inconvenience. Modern browsers display full-page blocking warnings with no easy bypass on mobile. For an Indian e-commerce or fintech site, even 30 minutes of such a warning during peak hours means abandoned carts and support tickets.

Beyond UX, misconfigured TLS creates direct security exposure:

TLS 1.0 / 1.1 — Both are deprecated by the CABForum and disabled by default in all major browsers since 2020. If your server still negotiates these versions for legacy clients, you expose users to POODLE, BEAST, and related downgrade attacks.
Weak cipher suites — RC4, DES, 3DES, and anonymous cipher suites provide little or no real security. NIST SP 800-52 Rev. 2 provides an approved cipher suite list. Any VAPT or SSL scan will flag these immediately.
Missing HSTS (HTTP Strict Transport Security) — Without the Strict-Transport-Security header, a user who types your domain without https:// is briefly vulnerable to SSL stripping attacks. HSTS tells the browser to always use HTTPS, even for the first request.
Mixed content — Serving HTTPS pages that load HTTP sub-resources (images, scripts, fonts) downgrades the security of the page and causes browser console warnings that erode the trust signal of your HTTPS padlock.
Self-signed certificates on production — Bypass CA validation entirely and expose users to trivial impersonation.

pie title Common TLS Misconfigurations Found in SMB Scans
    "Missing or incomplete cert chain" : 30
    "Expired or near-expiry certificates" : 25
    "Weak cipher suites or old TLS versions" : 22
    "Missing HSTS header" : 14
    "Mixed content issues" : 9

🚨

DANGER

Running TLS 1.0 or TLS 1.1 on a production server that processes payment card data is a PCI-DSS violation. PCI-DSS v4.0 requires TLS 1.2 as the minimum; TLS 1.3 is strongly recommended.

43%Increase in web application attacks targeting India-based businesses (CERT-In Annual Report 2023)

90 daysMaximum certificate validity issued by Let's Encrypt — driving automated renewal adoption (Let's Encrypt 2024)

Automation with ACME and Let's Encrypt

The industry is moving decisively toward short-lived certificates. Let's Encrypt pioneered 90-day certificates. In March 2025, the CA/Browser Forum passed Ballot SC-081, which phases down maximum certificate validity to 47 days by March 2029. The rationale is simple: shorter validity limits the window of exposure if a private key is compromised and revocation cannot happen quickly. If you rely on manually renewed annual certificates today, the industry is mandating automation by the end of the decade.

The ACME protocol (Automatic Certificate Management Environment, RFC 8555) is the standard mechanism for automating certificate issuance and renewal. Let's Encrypt is the most widely used ACME CA. Certbot, acme.sh, and Caddy all implement ACME clients that:

Prove domain control to the CA (DNS-01 or HTTP-01 challenge).
Request a certificate.
Install it automatically.
Schedule renewal before expiry (typically at 60 days remaining for a 90-day cert).

For organisations running on Nginx or Apache, Certbot can handle the full cycle. For cloud-native stacks, AWS Certificate Manager (ACM) and Google-managed certificates offer fully automated renewal with zero operational overhead.

💡

TIP

Even if you use a paid OV or EV certificate for your primary domain, use Let's Encrypt (free, automated) for internal tools, staging environments, and any subdomain that does not carry brand trust weight. Reducing the number of manually managed certificates is the fastest way to eliminate expiry-induced outages.

Certificate Inventory and Expiry Monitoring

Organisations with more than a handful of domains frequently lose track of certificates installed by team members who have since left. A certificate expiring silently at 2 AM is entirely preventable.

Practical controls:

Centralised inventory — One record per certificate: domain, issuer, expiry date, owner, auto-renewal status.
Expiry alerts — Alerts at 60 days, 30 days, and 7 days. AWS CloudWatch, GCP, and Azure all support this natively.
Certificate Transparency monitoring — Every public CA logs issued certificates to CT logs. Monitoring these logs for your domain alerts you to unauthorised issuance — an early signal of domain hijacking.
Automated TLS scans — Periodic scanning validates more than expiry: cipher suites, protocol version support, HSTS, OCSP stapling, and chain completeness in a single pass.

CAA Records — Often Overlooked, Highly Effective

Certification Authority Authorization (CAA) is a DNS record type (RFC 8659) that specifies which CAs are authorised to issue certificates for your domain. Every CA is required by CABForum Baseline Requirements to check the CAA record before issuance.

A minimal CAA record set:

bachao.ai.  CAA  0 issue "letsencrypt.org"
bachao.ai.  CAA  0 issuewild "sectigo.com"
bachao.ai.  CAA  0 iodef "mailto:ceo@bachao.ai"

Only Let's Encrypt can issue standard certs; only Sectigo can issue wildcards. Any other CA is blocked. The iodef field triggers an email to your security team on a policy violation. CAA records are free to configure and provide meaningful protection against CA misissuance and domain hijacking.

How TLS Issues Surface in a VAPT

A professional VAPT engagement always includes an SSL/TLS configuration review as part of the network and application security assessment. A VAPT scan of your public endpoints will typically check and report on:

Certificate expiry and validity
Full chain installation
Supported TLS protocol versions (flagging 1.0 and 1.1)
Cipher suite strength (flagging RC4, DES, 3DES, export-grade ciphers)
Key length (RSA 2048-bit minimum; 4096-bit recommended; ECDSA P-256 or P-384 preferred)
HSTS presence and max-age value
OCSP stapling configuration
Mixed content warnings
CAA record configuration
Certificate Transparency compliance

The findings map directly to remediation tasks your engineering team can execute — usually within a single sprint. Running a free VAPT scan gives you a prioritised view of TLS gaps across your public attack surface before a real attacker finds them.

Bachao.AI, built by Dhisattva AI Pvt Ltd (DPIIT Recognised Startup), automates this layer of TLS and SSL configuration assessment as part of every scan, giving Indian SMBs a clear remediation list without the need to interpret raw scanner output.

For more on securing your web infrastructure and staying compliant with Indian data protection requirements, explore the Bachao.AI blog or see how DPDP-related obligations intersect with certificate and encryption controls at our DPDP compliance guide.

TLS Configuration Baseline Checklist

Control	Minimum	Recommended
TLS version	TLS 1.2	TLS 1.3 only
Key algorithm	RSA 2048-bit	ECDSA P-256
Cipher suites	NIST SP 800-52 approved	Forward secrecy only
Certificate validity	DV 90-day auto-renewed	OV/EV for customer-facing
HSTS max-age	6 months	1 year + preload
OCSP stapling	Enabled	Enabled
CAA records	Configured	Configured with iodef
CT log monitoring	Quarterly check	Continuous alerting
Expiry alerts	30 days	60 + 30 + 7 days
Chain completeness	Full chain installed	Verified via external check

External references:

NIST SP 800-52 Rev. 2 — Guidelines for the Selection, Configuration, and Use of TLS
Mozilla SSL Configuration Generator — generates server config for Nginx, Apache, HAProxy, and others based on modern best practices.

🎯Key Takeaway

An expired or misconfigured TLS certificate is not a cosmetic problem — it is a security event. Automate renewal, enforce TLS 1.2 minimum (TLS 1.3 preferred), deploy HSTS, publish CAA records, and run periodic SSL configuration scans. For Indian businesses under DPDP Act obligations, encrypted-in-transit is a baseline control, not an optional hardening step.

Frequently Asked Questions

What is the difference between SSL and TLS?

SSL (Secure Sockets Layer) is the predecessor to TLS (Transport Layer Security). All SSL versions and TLS 1.0/1.1 are deprecated and cryptographically broken. When people say "SSL certificate" today, they mean a TLS certificate — the underlying certificate format is the same, but your server should only negotiate TLS 1.2 or TLS 1.3.

How often should I renew my TLS certificate?

It depends on your issuance method. Let's Encrypt certificates last 90 days and should be renewed automatically at around 60 days remaining. Paid DV/OV certificates typically last one year. The CA/Browser Forum is moving toward shorter maximum lifetimes industry-wide, so automating renewal via ACME is the most resilient long-term approach regardless of certificate type.

What happens if my TLS certificate expires?

Modern browsers display a full-page blocking warning — not a dismissible banner — when they encounter an expired certificate. Users on mobile cannot easily bypass this. The practical effect is that your site becomes unreachable to most users until the certificate is renewed and the server restarted.

Do I need an EV certificate for my Indian business website?

Not necessarily. EV certificates no longer display a green company name bar in Chrome or Firefox. For most SMBs, an OV certificate provides appropriate authentication (your organisation's identity is verified) without the additional cost and re-validation cycle of EV. EV is worth the overhead for high-value targets like payment gateways and banking portals where the additional vetting provides compliance attestation value.

What is HSTS and why does it matter?

HTTP Strict Transport Security (HSTS) is a response header that instructs the browser to always connect to your domain over HTTPS, even if the user types http:// or follows an HTTP link. Without HSTS, an attacker on the network can intercept the initial HTTP request and downgrade it before HTTPS is ever negotiated — a technique called SSL stripping. HSTS eliminates this attack vector for returning visitors.

How does a VAPT scan help with TLS/SSL security?

A VAPT scan checks your live endpoints against a comprehensive TLS configuration baseline — expired certs, weak ciphers, old protocol versions, missing HSTS, incomplete chains, CAA record gaps. It produces a prioritised finding list with remediation guidance, so your team knows exactly what to fix and in what order, without manually decoding raw scanner output.

TLS/SSL Certificate Management for Indian Businesses

Get cybersecurity insights for Indian SMBs

Exposed to CVEs like this? Run a free VAPT scan — risk score in 2 hours, no credit card.