One of the best ways to keep your site secure is with an SSL certificate. In this guide, we’ll explain what SSL certificates are, how they work, and how you can add one to your website.
What is SSL?
SSL stands for Secure Sockets Layer. It’s an encryption protocol that allows computers in a network to communicate securely. In other words, SSL ensures that the connection between the servers that host your website and a visitor’s computer or smartphone is completely secure.
SSL works using two encryption keys: a public key and a private key. Both of these keys live on the server that hosts your website. The public key, also known as an SSL certificate, is visible to any computer that connects to your website, while the private key is kept secret on the server.
This is called asymmetric encryption, since only one computer—your website’s server—has both encryption keys. The private key is needed to decrypt data generated using the public key and vice versa.
When a computer connects to your website, a process known as an SSL handshake begins. The connecting computer reads your site’s public certificate and uses it to generate a unique code, which it then sends back to your website. The server hosting your website uses the private key to decrypt this code.
Using that code—which is now known to both the visitor’s computer and your website’s server—a new set of codes is generated. These new codes are called session keys, and they can’t be decrypted by any computer other than your website server and the visitor’s computer.
This is called symmetric encryption: both the visitor’s computer and your website server have the encryption keys needed to read all the data sent over your connection. All the content on your website and any information that a visitor to your site enters are encrypted using the current session keys.
There’s one more thing we should note about SSL: these days, the acronym SSL is also used to refer to a related encryption protocol called Transport Layer Security, or TLS. Most modern websites actually use TLS rather than SSL since TLS provides stronger security. However, the underlying encryption mechanism is the same and you’ll often see both SSL and TLS protocols referred to as SSL.
What is an SSL Certificate and Why Do I Need It?
An SSL certificate is the public key that your website server makes available to any computer that requests to connect to your website. It’s essential to initiate the SSL handshake process, which in turn is required to establish a secure connection over the internet.
In addition, an SSL certificate acts as a sort of digital passport for your website. It contains information about your website, including its domain name, the website’s owner, and the expiration date of your public key.
A visitor’s computer can use this data to confirm that it’s communicating with the server that actually hosts your website, as opposed to an imposter server. This prevents domain spoofing, a common type of online attack.
On a broader level, an SSL certificate is required to give your website an https address instead of a regular http address. An https address signals that your website uses SSL encryption.
This is critical for running a website today because many browsers will issue a warning to visitors if they try to connect to a website without an SSL certificate. That’s a pretty fast way to drive away would-be visitors to your website.
Types of SSL Certificates
There are several different types of SSL certificates available. These different certificates all use the same underlying encryption mechanism and offer the same level of security. However, they differ in how thoroughly your company is vetted before an SSL certificate is issued and how they are configured for multiple domains and subdomains.
To start, let’s take a look at the 3 different SSL validation levels: extended validation, organization validation, and domain validation.
Extended Validation (EV) SSL Certificate
An EV SSL certificate is the most thoroughly vetted type of certificate. To get an EV SSL certificate, you must prove that you own a domain, that your company exists, and that your company is the entity that is requesting an SSL certificate.
Since EV SSL certificates require a more extended verification process than other types of SSL certificates, they tend to be more expensive. This type of certificate is mainly used by large companies that require a lot of customer information, such as e-commerce stores, banks, and medical service providers.
Organization Validation (OV) SSL Certificate
An OV SSL certificate is a step down from an EV SSL certificate in terms of vetting. The certificate authority—an organization that issues SSL certificates—checks that you own a domain name and does some basic work to verify that your company exists.
While OV SSL certificates aren’t as comprehensive as EV SSL certificates, they still provide a high degree of assurance to site visitors. These certificates are often used by companies that collect and store customers’ payment information online.
Domain Validation (DV) SSL Certificate
A DV certificate can be issued almost immediately, and often for free. The only check it involves is whether you own the domain you’re using. There is no verification of your company’s details.
DV is the type of validation used for issuing the vast majority of SSL certificates.
SSL certificates can also be configured differently depending on whether you have a single domain, multiple domains, or many different subdomains under your primary domain. Below are the most common types of SSL certificate configurations.
Wildcard SSL Certificate
A wildcard SSL certificate is a certificate that can be used for your primary domain and an unlimited number of subdomains. So, for example, if your website is www.mysite.com, a wildcard domain will also cover subdomains such as www.products.mysite.com.
Wildcard SSL certificates can be verified with either OV or DV.
Unified Communications (UCC) SSL Certificate
A UCC SSL certificate is a type of multi-domain certificate that can be used for up to 100 different domains and subdomains. They’re cost-efficient if you have multiple different websites and don’t want to go through the OV or EV validation processes multiple times.
Single Domain SSL Certificate
A single-domain SSL certificate only covers one domain, not including any subdomains. This type of certificate can be useful if you want to purchase OV or EV for a single subdomain but don’t need more thorough validation for other parts of your website.
How Can I Get an SSL Certificate for My Website?
The easiest way to get an SSL certificate for your website is to use a website builder that offers free certificates with every site. Nearly all of the best website builders, including top picks like Wix and GoDaddy, offer free SSL certificates pre-installed on your site.
If you’re hosting your own website, you’ll find that most major website hosting services also provide free SSL certificates. Typically, there’s a simple program within your site’s hosting control panel that lets you create and add an SSL certificate to your site in less than a minute.
If you find a website builder or host that doesn’t offer SSL certificates, you still have options. A company called Let’s Encrypt offers free DV SSL certificates. However, adding these certificates to your site can be a little bit complicated. You may need to work with your hosting company to add a Let’s Encrypt certificate to your website.
All of the options above are for wildcard or single domain DV SSL certificates, which are usually free or very inexpensive. If you want an EV or OV SSL certificate, however, you’ll need to purchase a certificate from a certification authority.
Some of the top SSL providers include Comodo SSL, DigiCert, Rapid SSL, and GeoTrust. There are dozens of certificate authorities to choose from, so it’s worth taking some time to explore which one offers the best value for your security needs.
How Can I Tell If My Website has SSL?
Not sure if your website has SSL or want to double-check that you’ve installed your SSL certificate correctly? It’s incredibly easy to check if your website has SSL. To start, just navigate to your website in any browser.
Once you’re there, look at the web address. If it starts with https instead of http, then your SSL certificate is active. Most web browsers will also display a padlock in the address bar to indicate that your connection is secured by SSL. Click on that padlock to get more information and make sure that the certificate is the same one you installed.
If you navigate to your site and get a warning from your browser that it’s not secure, then your site doesn’t have a properly installed SSL certificate. You can use a free tool like the SSL Server Test from SSL Labs to get more information about what may be wrong.
Is SSL Good for SEO?
Another important reason to add an SSL certificate to your website is that it’s important for your website’s SEO. Search engines like Google give a boost to sites with SSL in page rankings. If your site is operating without an SSL certificate, it’s less likely to show up in search results.
On top of that, most browsers now display a warning to users if they try to connect to a website that doesn’t have an SSL certificate. That’s a strong incentive for visitors to stay away from your site. So even if your site still ranks in search results, you’ll hurt your visitor traffic significantly if you don’t use SSL.
SSL certificates ensure that visitors to your website are secure as they browse and shop. They’re also essential to operate a successful website today, as they give your site an SEO boost and eliminate browser security warnings.
You can get an SSL certificate for free from most website builders and hosting providers, or by using a certificate authority like Let’s Encrypt. If you’re not sure whether your website is currently protected by SSL, just check whether your site has an https address when you visit.
Ready to create an SSL-secured website that wows visitors? Check out our reviews of the best website builders to create your perfect site today.