SSL certificates are an important part of securing your website, and also help you look professional and reputable to customers.
In this article, we'll talk about how to get a secure SSL certificate and serve your website over HTTPS, as well as going through the different types of SSL certificates that are out there, and the process of getting one from your web hosting provider.
- What is an SSL certificate and why is it important?
- What's the difference between SSL and TLS?
- When do you need an SSL certificate?
- What SSL certificate do I need?
- How long does it take to get an SSL certificate?
- Do you need an SSL certificate on your website?
The term "SSL" stands for Secure Sockets Layer, and an SSL certificate is what secures the transmission of data between a browser and a server.
For example, if you're making a payment online, SSL protects the card information that you enter into the website as it's transmitted to the server that processes your payment.
Having an SSL certificate is also how to make your website HTTPS secure, and display the small padlock that shows your website as being protected.
SSL certificates have been an essential part of protecting data on websites for many years, but in the past they were mostly used for websites where payments were processed, or if sensitive data was being shared.
Today they're used across all types of website, and browsers are encouraging this trend of forcing websites to use HTTPS, by showing websites without SSL encryption as being "Not Secure".
TLS stands for "Transport Layer Security", and is an updated version of the original SSL encryption. So a modern SSL certificate is technically a TLS certificate, but the term "SSL" has become so familiar in the industry that people have continued to use it to describe the new technology.
Ideally, every website should be secured with an SSL certificate. In the past, SSLs were only really necessary if you were selling things through your website or asking for sensitive data, but that's all changed in the last few years.
Recently browsers have been encouraging all websites to use SSL certificates, with Google even taking steps to show websites without SSL security as being unsafe.
This began with a greyed out "not secure" sign in the address bar.
This is now evolving into a full warning page if someone attempts to use an unsecured website.
As you can imagine, this warning screen is a huge red flag for users, and Google has even made it difficult to ignore the warning and continue, as this option is on a black background to make it less prominent.
This is a massive incentive to ensure that your website has an SSL certificate, so that you can ensure Google and other providers don't prevent people from visiting your website.
Search engines also rank websites with SSL encryption a little higher, so it's also a good way to get a small SEO improvement at the same time.
There are a few different types of SSL certificate. Some allow you to secure multiple domains or subdomains, and some provide more robust security.
This is the most common kind of SSL certificate, which you can validate as the domain owner. This is the best choice for the vast majority of websites, and it's also usually the most inexpensive too! In some cases you can obtain them for free - more on that later.
A DV SSL can give you all the protection you need whether you're selling products online, or just have a basic enquiry form.
EV and OV SSL certificates require a little more detail to secure validation, as they check additional details such as the business address and other organisation information.
In the past, browsers would show that official company name at the start of the URL when you visited a website secured by an EV certificate (although not by OV), but that's no longer the case.
So, for a user, there's no visual difference between a website secured by DV, OV or EV certificates.
And to be clear, the actual technical security of these different SSL certificates is exactly the same. The only difference lies in the checks made to ensure the website is owned by a registered company.
Which leads us to the question, what's the point of spending more money on an SSL certificate that provides users with no additional security on the actual website?
If you'd like to read a bit more detail about the difference between EV, OV and DV SSL certificates, here's a brilliant article by Scott Helme which asks if EV certificates are really worth it.
Most SSL certificates are only needed to cover a single domain, so this is the best option for most people.
Wildcard SSL certificates are needed if you have subdomains that you also want to secure alongside your main website.
So if you have a range of subdomains, let's say we had seo.edgeoftheweb.co.uk and design.edgeoftheweb.co.uk, a Wildcard SSL would cover these as well as the main edgeoftheweb.co.uk domain.
A Multi Domain SSL uses one certificate to cover multiple domains - but those domains have to be under the same IP. They're also known as subject alternative name (SAN) or unified communication (UCC) certificates.
If you have several different domains under your control and using the same IP address then this might be a good option for you.
But in short, for the vast majority of people, a single Domain Validation SSL certificate is going to be all you need.
If you're getting a single Domain Validation SSL certificate, then it can usually be issued and installed in a couple of hours - but of course, this will depend on you, your provider and your web maintenance team.
How to get an SSL certificate for your website
If you already have a website up and running, your hosting provider should have a solution for adding an SSL certificate to your website.
We'd recommend using Let's Encrypt, a non-profit organisation set up to increase SSL certification across the internet and make it easier for websites to stay secure.
They designed a standard that allows completely automated SSL certificate issuance and renewal called ACME (Automatic Certificate Management Environment).
To get a free SSL certificate, all they require is for you to verify that you do have control of the domain you wish to secure, usually by adding a file provided by them to your website. They will then try to load that file from your website and, if they can, then you've demonstrated your ownership and are authorised to request your certificate.
You'll then need to ensure that your SSL certificate is correctly installed and that the website is now forcing use of https instead of http.
Let's Encrypt created a tool to help with this called Certbot which automates the process, including automatic renewal - meaning you can be sure your site is secure for life. Their certificates renew after 90 days, which increases security further and reduces risks of the private key being leaked as it's being changed much more often than with an annual renewal.
Certbot can be run server-side by entering the following into the command line with your URL:
certbot -d www.edgeoftheweb.co.uk
The main downside to using Let's Encrypt to provide your SSL certificate is that, depending on your hosting provider and server set up, configuration and ongoing management can be quite technical, and it can be easy to get wrong if you don't know what you're doing!
If you don't have a developer or the technical expertise in house, it really helps if you've got a website maintenance contract in place with your provider, as they'll then be able to manage this for you.
Yes, you do! And we recommend you get one ASAP so that you can prevent Google from telling users that your website is unsecure and untrustworthy.
In short, an SSL certificate means:
- Your users' data is better protected
- They can see that your website is secure
- Search engines rank you a little higher
- Your site doesn't get blocked by a giant warning message
That's a lot of benefit for the relatively low cost of installing and renewing your SSL certificate, and we think it's simply essential for every website.
If you're still not sure what SSL certificate you need for your website, get in touch to find out more about how we can help with website security and maintenance.
Get in touch
Got a question or need some help with your next web project? Our creative team is here to help, and we'd love to hear from you.