A Server Certificate is Domain/Web Site specific

On receipt, the browser automatically checks the certificate for three things:

·	Expiration date: Is the certificate still valid?

·	Address from the web site: Does the address in the certificate match the web server address?

·	Verifying a certificate by calling the certificate issuer (like VeriSign) to confirm that the certificate can (still) be trusted.

This first check is mandatory so without a valid TLS/SSL certificate the encryption doesn't work.

The second check reveals that a server certificate is issued for a specific domain/web site. When a certificate is used on another web-address than it was issued for, each client that should log in receives a message from the browser stating that there is a possible security leak. A client can accept the risks and login through an encrypted connection to the web server.

The browser does the same when the third check is not fulfilled, so the second and third check are not mandatory for the encryption to work (this is displayed on most browsers by means of a lock symbol).