What is an SSL certificate and why do I need one?

What is SSL/TLS?

SSL stands for Secure Sockets Layer. It is the original protocol created in the mid-1990s to encrypt data travelling between a web browser and a web server. SSL has since been replaced by TLS (Transport Layer Security), but the term "SSL certificate" has stuck and is still universally used to refer to the digital certificates that enable both protocols.

When a visitor types your website address into their browser, their browser and your server perform a quick handshake. The server presents its SSL certificate, the browser verifies it is genuine, and then both sides agree on an encryption key. From that point on, everything sent between them — form submissions, login details, payment information — is scrambled and unreadable to anyone intercepting the connection.

What does an SSL certificate contain?

An SSL certificate is a small digital file that lives on your web server. It contains several pieces of information:

• Domain name — the specific website address the certificate covers
• Organisation details — the company or individual the certificate was issued to
• Certificate authority — the trusted organisation that issued and signed the certificate
• Public key — used to encrypt data sent to your server
• Validity period — the start and expiry dates of the certificate
• Serial number — a unique identifier for the certificate

The private key, which decrypts the data, stays on your server and is never shared.

Types of SSL certificate

There are three main validation levels, each providing a different degree of trust:

• Domain Validated (DV) — the certificate authority only checks that you control the domain name. Issued in minutes. Suitable for most websites including blogs and brochure sites.
• Organisation Validated (OV) — the certificate authority verifies your organisation's legal existence and physical address. Takes a few days. Common for businesses that need to prove their identity.
• Extended Validation (EV) — the most rigorous check. The certificate authority verifies legal, physical, and operational existence. Historically displayed the company name in the browser address bar. Used by banks and financial institutions.

For the vast majority of small businesses, a free DV certificate from Let's Encrypt is perfectly adequate.

How to check if your site has an SSL certificate

Open your website in any browser and look at the address bar. If you see a padlock icon and the URL starts with https://, you have an active certificate. Click the padlock to view details such as the issuer, validity dates, and the domain it covers.

For a more thorough check that also tests certificate chain integrity, protocol versions, and cipher strength, see our guide to validating SSL certificates.

What happens when an SSL certificate expires?

SSL certificates have a fixed lifespan, typically 90 days for Let's Encrypt or up to one year for paid certificates. When a certificate expires:

• Browsers display a prominent warning page telling visitors the connection is not secure
• Most visitors will leave immediately rather than click through the warning
• Google may drop your rankings because HTTPS is a ranking signal
• Any data submitted through your forms is sent unencrypted

Expired certificates are one of the most common yet easily preventable security issues. Automated monitoring can alert you before expiry so you can renew in time.

How to get an SSL certificate

The simplest and most cost-effective option is Let's Encrypt, a free, automated, and open certificate authority. Most hosting providers support one-click Let's Encrypt installation through their control panel. Certificates renew automatically every 90 days.

If your hosting provider does not support Let's Encrypt, you can purchase a certificate from providers such as DigiCert, Sectigo, or GlobalSign. Paid certificates typically offer longer validity periods and warranty coverage.

Many CDN providers, including Cloudflare, also provide free SSL certificates as part of their service. If you use Cloudflare in front of your website, it handles SSL termination automatically.

Mixed content: a common HTTPS problem

Even with a valid SSL certificate, your site can still trigger browser warnings if it loads some resources over HTTP. This is called mixed content. It happens when an HTTPS page contains hard-coded links to images, scripts, or stylesheets using http:// URLs.

Browsers block insecure scripts automatically, which can break parts of your site. Learn how to find and fix mixed content issues to ensure your entire page loads securely.

Why SSL matters for SEO and trust

Google has used HTTPS as a ranking signal since 2014. Websites without SSL rank lower in search results, all else being equal. Beyond SEO, visitors are more likely to trust and engage with a site that shows the padlock icon. The Information Commissioner's Office (ICO) also expects personal data to be transmitted securely as part of GDPR compliance.

If you collect any personal information through your website — contact forms, newsletter sign-ups, or login details — an SSL certificate is not optional. It is a fundamental security requirement.

Check your SSL setup today

Run a free security scan with PulseShield to check your SSL certificate status along with 20 other security and compliance checks. The scan takes under two minutes and produces a professional PDF report you can share with your team or clients.