The small padlock icon in your browser’s address bar represents one of the most important security technologies on the modern web. Behind it sits an SSL certificate — a digital credential that encrypts the connection between a visitor’s browser and your web server, and that tells the world your site is legitimate.

For anyone who owns or manages a website, SSL is no longer optional. Google penalises sites without it in search rankings. Major browsers display active warnings on non-HTTPS pages. And visitors — rightly — don’t trust sites that show “Not Secure” in the address bar. SSL is table stakes.

But SSL also generates a significant amount of confusion. What type of certificate do you need? Does the free one your host provides work as well as a paid certificate? What happens if it expires? Why does your site still show warnings even after you installed one? This guide answers all of it — clearly and completely.

1. What SSL Actually Is

SSL stands for Secure Sockets Layer. Despite being technically superseded by a newer protocol called TLS (Transport Layer Security), the term “SSL” has stuck in everyday usage — when people say SSL, they almost always mean TLS. The two terms are used interchangeably in practice, including by hosting providers, browsers, and the security industry.

An SSL certificate is a digital document issued by a trusted third party called a Certificate Authority (CA). It does two things: it enables encrypted communication between a browser and a server, and it provides a level of identity verification — confirming that the website you’re connecting to is actually operated by who it claims to be.

What SSL Protects Against

When a connection is not encrypted (plain HTTP), data travels between the browser and the server in plain text. Anyone positioned between those two points — an ISP, a malicious actor on a public Wi-Fi network, or a government-level surveillance system — can read that data directly. Passwords, credit card numbers, personal messages: all visible.

SSL/TLS encryption scrambles that data using mathematical keys. Even if intercepted, encrypted data is computationally infeasible to decrypt without the correct private key — which only your server holds.

Certificate Authorities: Who Issues SSL Certificates

A Certificate Authority is an organisation trusted by browsers and operating systems to vouch for the identity of websites. Browsers ship with a built-in list of trusted CAs. When your browser connects to an HTTPS site, it checks whether the site’s certificate was signed by one of those trusted CAs — if yes, the padlock appears; if not, a warning is shown.

Major CAs include Let’s Encrypt (the free CA), DigiCert, Sectigo, Comodo, and GlobalSign. Let’s Encrypt, launched in 2016, is now the most widely used CA in the world — it issues hundreds of millions of free certificates and is the backbone of most hosting-included SSL.

2. How HTTPS Works — The Handshake Explained

When your browser connects to an HTTPS website, a process called the TLS handshake takes place before any page content is transferred. This handshake establishes the encrypted connection, and it all happens in milliseconds.

The Handshake Step by Step

1. Client Hello — Your browser sends a message to the server listing the TLS versions and cipher suites it supports.
2. Server Hello — The server responds, selecting a TLS version and cipher suite, and sends its SSL certificate.
3. Certificate verification — Your browser checks the certificate against its list of trusted CAs, verifies it hasn’t expired, and confirms it matches the domain you’re connecting to.
4. Key exchange — Browser and server use asymmetric cryptography to agree on a shared session key without transmitting it directly.
5. Session established — All subsequent communication is encrypted with the shared session key using fast symmetric encryption.

3. The Three Types of SSL Certificate

SSL certificates come in three validation levels. The encryption they provide is identical — the difference is in how thoroughly the issuing CA has verified the identity of the organisation or individual requesting the certificate. Choosing the right type depends on what your site does and who your audience is.

Domain Validated (DV) — What Most Websites Use

A DV certificate is issued after the CA verifies only that you control the domain — nothing about who you are as a person or organisation. The CA sends a verification email to a standard address like [email protected], or validates via a DNS record or file placed on your server. The whole process is automated and often completes in minutes.

The encryption provided by a DV certificate is identical to OV or EV. For the vast majority of websites — blogs, portfolios, informational sites, small businesses — a DV certificate is completely appropriate. This is what Let’s Encrypt issues, and what most hosting providers include free with every plan.

Organisation Validated (OV) — For Established Businesses

An OV certificate requires the CA to verify that your organisation actually exists as a registered legal entity, that the domain belongs to that organisation, and that the person requesting the certificate is authorised to do so. This process takes days and requires documentation.

The padlock in the browser looks identical to DV — the difference is that the certificate itself contains verified organisation information, which a technically savvy visitor can inspect by clicking the padlock. OV certificates signal a higher level of legitimacy and are appropriate for established businesses that want to provide additional assurance.

Extended Validation (EV) — The Highest Standard

EV certificates involve the most rigorous vetting — the CA verifies legal existence, physical location, operational status, and that the applicant has exclusive right to the domain. This used to trigger a green address bar with the company name displayed in browsers, though modern browsers have largely removed this visual distinction.

EV certificates are appropriate for banks, large eCommerce operations, and enterprises where the highest level of verified trust matters. For most websites, the additional cost and complexity of EV provides limited practical benefit over a well-maintained DV certificate.

4. What Hosting Providers Include

Understanding exactly what SSL your hosting provider gives you — and what it doesn’t — is essential for making sure your site is properly secured without overpaying for something you don’t need.

The Standard: Free Let’s Encrypt via cPanel

The majority of shared hosting providers now include free DV SSL certificates via Let’s Encrypt, typically managed through cPanel or their own custom control panel. These certificates are:

• Valid for 90 days and automatically renewed by the host
• Issued for your root domain and the www subdomain
• Fully trusted by all major browsers
• Functionally equivalent in encryption strength to paid certificates

For most websites — including small businesses, blogs, portfolios, and informational sites — this is everything you need. There is no meaningful security difference between a free Let’s Encrypt certificate and a paid DV certificate from DigiCert or Sectigo.

Cloudflare’s Free SSL — A Different Approach

If you’re using Cloudflare in front of your hosting (which we recommend), Cloudflare provides its own free SSL layer between visitors and Cloudflare’s edge network. This is separate from the certificate on your origin server. For complete end-to-end encryption, you need SSL on both Cloudflare and your origin server — Cloudflare calls this “Full (Strict)” mode, and it’s what you should use.

Paid SSL Certificates From Your Host

Many hosts offer paid SSL certificate upgrades — typically OV or EV certificates, or longer-validity paid DV certificates. These are almost always optional and marketed as premium add-ons. For most websites, they are unnecessary. The main legitimate reasons to pay for SSL are:

• You need an OV or EV certificate for regulatory compliance or enterprise trust requirements
• You need a wildcard certificate to cover many subdomains (though Let’s Encrypt also issues free wildcards)
• You need a multi-domain (SAN) certificate covering many different domains on a single certificate

5. Free vs. Paid SSL: Does It Matter?

This is the question most site owners have, and the honest answer is: for most websites, no — the free certificate is fine. Here’s a clear comparison of what actually differs.

What Is Identical

• Encryption strength — Free and paid DV certificates both use 256-bit encryption and are cryptographically equivalent.
• Browser trust — Let’s Encrypt is trusted by every major browser and operating system. No visitor sees any difference.
• SEO treatment — Google treats HTTPS identically whether the certificate is free or paid.
• Padlock display — Both show the same padlock icon in the browser address bar.

What Actually Differs

• Validity period — Let’s Encrypt certificates are valid for 90 days (auto-renewed by your host). Paid certificates can be valid for up to 13 months, with manual renewal required.
• Identity verification — Paid OV and EV certificates verify your organisation’s identity. Free DV certificates verify only domain ownership.
• Warranty — Paid certificates often include a warranty against mis-issuance (typically $10,000–$1.75M). This protects against the CA’s error, not yours, and is rarely relevant in practice.
• Wildcard and multi-domain — Let’s Encrypt does issue free wildcards and multi-domain certificates, but paid options are sometimes simpler to manage at scale.
• Customer support — Paid CA providers offer direct support. Let’s Encrypt is automated with community support only.

6. Wildcard and Multi-Domain Certificates

Standard SSL certificates cover a single domain and its www subdomain. But many websites use multiple subdomains or operate multiple domain names — and for those situations, two specialised certificate types exist.

Wildcard Certificates

A wildcard certificate covers a domain and all of its first-level subdomains with a single certificate. The wildcard is represented by an asterisk: *.yoursite.com covers blog.yoursite.com, shop.yoursite.com, api.yoursite.com, and any other first-level subdomain you create — without needing separate certificates for each.

Wildcard certificates are valuable when you:

• Run multiple subdomains that need HTTPS (a common pattern for SaaS products)
• Need to add new subdomains frequently without re-issuing certificates
• Want centralised certificate management instead of tracking multiple expiry dates

Let’s Encrypt issues free wildcard certificates via the ACME DNS challenge — a DNS-based verification method. Most cPanel hosts and Cloudflare can automate this for you. Alternatively, paid wildcard certificates from commercial CAs typically cost $80–$300/year.

Multi-Domain (SAN) Certificates

A multi-domain certificate — also called a SAN (Subject Alternative Names) certificate or UCC (Unified Communications Certificate) — covers multiple completely different domain names on a single certificate. For example, one certificate might cover yoursite.com, yoursite.co.uk, yourbrand.com, and app.yoursite.com.

Multi-domain certificates are useful for agencies managing multiple client domains, businesses with several brand domains, or any scenario where you want one certificate to handle many domains for operational simplicity. They’re almost always paid certificates (starting around $60/year) since Let’s Encrypt requires separate certificates per domain (though you can list multiple SANs on a single Let’s Encrypt certificate through certain ACME clients).

7. How to Install SSL on Your Site

The installation process varies depending on your hosting setup. Here are the most common scenarios.

Shared Hosting with cPanel (Most Common)

1. Log in to cPanel and navigate to SSL/TLS or the Security section
2. Look for Let’s Encrypt SSL or AutoSSL — most cPanel hosts have one-click issuance
3. Select your domain and issue the certificate — it activates within minutes
4. Install the Really Simple SSL plugin on WordPress (or manually add HTTPS redirects) to ensure all traffic is redirected to https://
5. Test by visiting your site with https:// — you should see the padlock

Hostinger, Kinsta, WPX and Modern Hosting Dashboards

Most modern hosting dashboards handle SSL completely automatically. When you add a domain to your hosting account, the SSL certificate is issued and activated within minutes without any action required on your part. Check your provider’s documentation if the padlock doesn’t appear after 24 hours — the most common cause is that DNS hasn’t propagated yet, preventing the CA from verifying domain ownership.

Cloudflare (If Using as Your DNS)

1. In your Cloudflare dashboard, navigate to SSL/TLS
2. Set the encryption mode to Full (Strict) — this encrypts both the visitor-to-Cloudflare connection and the Cloudflare-to-origin connection
3. Enable Always Use HTTPS under Edge Certificates
4. Enable Automatic HTTPS Rewrites to fix mixed content issues

VPS or Dedicated Server (Manual Installation)

On an unmanaged VPS, you typically install Certbot — the official Let’s Encrypt client — and run it to obtain and configure certificates automatically. On Nginx:

sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d yoursite.com -d www.yoursite.com

Certbot handles certificate issuance, Nginx configuration, and sets up automatic renewal via a cron job or systemd timer. For Apache, replace nginx with apache in the commands above.

8. Common SSL Problems and How to Fix Them

SSL issues are frustrating because they’re often invisible until something breaks. Here are the most common problems and their solutions.

Mixed Content Warnings

Symptom: Your site loads over HTTPS but the browser shows a broken padlock or warning despite the certificate being valid.

Cause: Some resources on the page — images, scripts, stylesheets, iframes — are still loading over HTTP instead of HTTPS. The presence of even one insecure resource triggers a mixed content warning.

Fix: Use the browser’s developer tools (F12 → Console) to identify which resources are loading over HTTP. Update internal links and resource URLs to HTTPS. On WordPress, the Really Simple SSL plugin handles most of this automatically. Cloudflare’s Automatic HTTPS Rewrites setting catches many cases too.

Certificate Expired

Symptom: Visitors see a browser warning saying “Your connection is not private” with an error like NET::ERR_CERT_DATE_INVALID.

Cause: The SSL certificate expired and wasn’t renewed. Let’s Encrypt certificates expire every 90 days. If auto-renewal failed for any reason, visitors will see this error.

Fix: Renew the certificate immediately through your host’s control panel. Then investigate why auto-renewal failed — common causes include a change in DNS settings that broke domain validation, or a server issue that prevented the renewal process from running.

Certificate Name Mismatch

Symptom: Browser shows a security warning stating the certificate is for a different domain.

Cause: The certificate was issued for yoursite.com but visitors are accessing www.yoursite.com (or vice versa), and the www version isn’t covered by the certificate.

Fix: Reissue the certificate to cover both yoursite.com and www.yoursite.com. In cPanel, make sure both variants are selected when issuing Let’s Encrypt SSL.

SSL Not Working After Changing Hosts

Symptom: HTTPS was working on the old host but shows warnings on the new one.

Cause: SSL certificates are issued per-server. Moving your site to a new server means the old certificate doesn’t transfer — you need to issue a new one on the new host.

Fix: Issue a new SSL certificate on your new hosting account after DNS has propagated to the new server.

9. SSL and SEO: What Google Actually Uses

Google confirmed HTTPS as a ranking signal in 2014. Since then, SSL has become effectively mandatory for any site that cares about search performance. But there’s often confusion about what exactly Google looks at — here’s the precise picture.

HTTPS as a Ranking Factor

Google has described HTTPS as a “lightweight” ranking signal — one that acts as a tiebreaker when other signals are roughly equal, rather than dramatically boosting or penalising rankings on its own. In practice, however, the indirect effects of not having SSL are more significant:

• Chrome labels non-HTTPS sites as “Not Secure” — increasing bounce rate, which is a strong negative signal
• Many users actively avoid submitting forms or purchases on non-HTTPS sites
• HTTP/2 and HTTP/3 (which improve performance) require HTTPS in most browsers
• Google Search Console, Analytics, and most third-party tools work better on HTTPS

What Google Does NOT Care About

• Certificate type — Google does not give any ranking preference to OV or EV certificates over free DV certificates. A Let’s Encrypt certificate is treated exactly the same as a $400 EV certificate for ranking purposes.
• Certificate provider — Which CA issued your certificate is irrelevant to Google. Let’s Encrypt, DigiCert, Sectigo — Google doesn’t distinguish.
• Certificate price — There is zero correlation between what you paid for your certificate and how Google ranks your site.

HTTP to HTTPS Migration: Getting It Right

If you’re migrating an existing site from HTTP to HTTPS, doing it correctly matters for maintaining your rankings:

1. Set up SSL on your server first, before making any redirects
2. Implement 301 (permanent) redirects from every HTTP URL to its HTTPS equivalent
3. Update your canonical tags to use HTTPS URLs
4. Update your XML sitemap to use HTTPS URLs
5. Update Google Search Console with the HTTPS version of your site
6. Update any hardcoded internal links and resource URLs to HTTPS

10. SSL Setup Checklist

Use this checklist when setting up SSL on a new site, migrating to HTTPS, or auditing an existing installation.

Initial SSL Setup

• SSL certificate issued and active for your root domain (yoursite.com)
• SSL certificate covers the www subdomain (www.yoursite.com)
• Padlock displays correctly in browser address bar on both versions
• HTTP traffic redirects to HTTPS via 301 redirects
• Auto-renewal is enabled and confirmed (check your host’s SSL settings)

Mixed Content Check

• Browser console shows no mixed content warnings (F12 → Console)
• All internal images, scripts, and stylesheets load over HTTPS
• All external resources (fonts, scripts, embeds) use HTTPS URLs
• WordPress site URL and home URL both set to https:// (Settings → General)

Configuration Verification

• SSL Labs test (ssllabs.com/ssltest) returns an A or A+ rating
• TLS 1.2 and TLS 1.3 enabled; TLS 1.0 and 1.1 disabled
• HSTS (HTTP Strict Transport Security) header enabled if your setup supports it
• Cloudflare SSL mode set to Full (Strict) if using Cloudflare

After Migrating from HTTP to HTTPS

• 301 redirects confirmed working from all HTTP pages to HTTPS equivalents
• Canonical tags updated to HTTPS throughout the site
• XML sitemap updated to use HTTPS URLs
• Google Search Console property added for the HTTPS version
• Google Analytics updated to use HTTPS as the default URL
• Any backlinks or external references updated where possible