Skip to main content
Security

SSL Certificates Explained: What Every Website Owner Should Know

2 July 2025 AAM Services
SSL Certificates Explained: What Every Website Owner Should Know

You've probably noticed the padlock icon in your browser's address bar, or seen websites using "https://" instead of "http://". This is SSL in action—a fundamental security technology that every website now needs. Here's what it means and why it matters.

What Is SSL?

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are encryption protocols that secure data transmission between a user's browser and a website's server.

When you visit a site using HTTPS, information travels encrypted—transformed into unreadable code that only the intended recipient can decrypt. This prevents eavesdropping, tampering, and interception.

Think of it as sending a message in a locked box rather than on a postcard. Anyone handling the postcard can read it; only the intended recipient can open the locked box.

Why SSL Matters

Data Protection

Without encryption, data travels as plain text. On public WiFi, malicious actors can intercept:

  • Login credentials
  • Payment information
  • Personal details from forms
  • Any sensitive information submitted

SSL encryption prevents this interception. Even if someone captures the data, they can't read it.

Trust and Credibility

Modern browsers actively warn visitors about insecure sites:

  • Chrome displays "Not Secure" for non-HTTPS sites
  • Form fields on insecure pages show warnings
  • Some browsers block certain features on insecure sites

These warnings alarm visitors. They see your site as unsafe—even if you're not handling sensitive data. The "Not Secure" label damages trust and deters engagement.

SEO Ranking Factor

Google confirmed HTTPS as a ranking signal in 2014. While not a dominant factor, it can be a tiebreaker between otherwise equal sites. More importantly, site security affects Core Web Vitals and overall user experience metrics that do impact rankings significantly.

Regulatory Compliance

For sites handling personal data, GDPR requires "appropriate technical measures" for security. SSL/TLS is a baseline expectation. Sites processing payments must comply with PCI DSS, which mandates encryption.

Operating without SSL increasingly creates compliance risk.

Types of SSL Certificates

Domain Validation (DV)

The most basic level. The certificate authority (CA) verifies you control the domain—nothing more. These are quick to issue (often automated) and inexpensive or free.

DV certificates provide encryption but no identity verification. They're appropriate for most websites, blogs, and small businesses.

Organisation Validation (OV)

The CA verifies your organisation exists and controls the domain. This requires documentation and takes a few days to issue.

OV certificates include organisation details visible in the certificate. They provide slightly more trust but are largely indistinguishable to typical users.

Extended Validation (EV)

The most rigorous verification, including legal entity checks, operational verification, and identity confirmation. Takes days or weeks to issue.

EV certificates once displayed the company name in the browser bar (the "green bar"). Modern browsers have removed this distinction, reducing EV certificates' visible benefit.

Wildcard Certificates

Secure a domain and all its subdomains (*.example.com). Useful if you have multiple subdomains—one certificate covers blog.example.com, shop.example.com, etc.

Multi-Domain (SAN) Certificates

Secure multiple different domains with one certificate. Useful for organisations with several related domains.

Free vs. Paid Certificates

Let's Encrypt revolutionised SSL by providing free certificates. These are Domain Validation certificates, automatically issued and renewed. They provide the same encryption as paid DV certificates.

For most websites, free Let's Encrypt certificates are entirely appropriate. The padlock looks identical, the encryption is equally strong, and users can't tell the difference.

Paid certificates might be worthwhile for:

  • Organisation or Extended Validation if brand trust is critical
  • Warranty coverage (some paid certificates include liability coverage)
  • Support and assistance with installation issues
  • Specific compliance requirements

For the vast majority of small businesses, free Let's Encrypt certificates are perfect.

Implementation and Renewal

Installation

SSL certificates are installed on your web server. This is typically handled by:

  • Your hosting provider (many include free SSL automatically)
  • Your developer during site setup
  • Automated tools like Certbot for Let's Encrypt

Proper installation includes configuring the certificate, redirecting HTTP to HTTPS, and updating internal links.

Renewal

Certificates expire—typically after 90 days (Let's Encrypt) or 1-2 years (paid certificates). Expired certificates display scary browser warnings that will drive visitors away.

Automated renewal is essential. Let's Encrypt certificates are designed for automatic renewal. Paid certificates often require manual renewal reminders.

Whatever certificate you use, ensure renewal is handled automatically or calendared with ample notice.

Mixed Content Issues

After installing SSL, all resources (images, scripts, stylesheets) must also load via HTTPS. "Mixed content"—secure pages loading insecure resources—triggers browser warnings and can break functionality.

Fixing mixed content involves updating hardcoded HTTP links, ensuring CMS media URLs are correct, and checking third-party integrations.

Checking Your Certificate

To verify your SSL is working correctly:

  1. Check the padlock: Click the padlock icon in your browser address bar to view certificate details.
  2. Use testing tools: SSL Labs' SSL Test (ssllabs.com/ssltest) provides detailed analysis and grades your configuration.
  3. Check expiry: Ensure your certificate doesn't expire soon (the SSL Labs test shows this).

Common Problems

Certificate expired: Visitors see alarming warnings. Ensure automatic renewal is configured.

Wrong domain: A certificate for www.example.com won't work for example.com (without www) unless it covers both. Check your certificate covers all domain variations you use.

Mixed content: HTTPS page loading HTTP resources. Update all internal links and resource references.

Redirect loops: Misconfigured HTTP-to-HTTPS redirects causing infinite loops. Requires server configuration fixes.

Chain issues: Missing intermediate certificates. The full certificate chain must be installed for browsers to trust the certificate.

Our Approach

Every website we build and host includes SSL from the start. We configure certificates properly, set up automatic renewal, ensure no mixed content issues, and test the complete configuration.

Our care plans include SSL monitoring—we catch expiry issues before they affect your visitors.

If your site lacks SSL or has certificate problems, contact us. It's straightforward to fix and essential for any modern website.

SecurityHostingBest Practices

Ready to Start Your Project?

Have questions about building your eCommerce store or custom web application? Let's talk.

Get a Quote View Our Services