localwebadvisor
WIKI← Wiki home

What Is an SSL Certificate? HTTPS Explained

By FayUpdated Jul 9, 2026EVERGREEN
⚡ THE ANSWER

An SSL certificate (technically a TLS certificate) is a digital credential that proves your website is really yours and enables HTTPS — encrypted connections between visitors and your server. It prevents eavesdroppers from reading or tampering with data in transit, powers the browser padlock, and avoids Chrome's 'Not secure' warning. HTTPS has been a confirmed Google ranking signal since 2014, and thanks to Let's Encrypt, basic certificates are free. Every business website should have one, no exceptions.

Ranking signal
HTTPS is a confirmed Google ranking signal (Google, 2014)
Browser warnings
Chrome has marked all HTTP pages 'Not secure' since July 2018 (Chrome 68)
HTTPS adoption
Over 90% of pages loaded in Chrome in the US use HTTPS (Google Transparency Report)
Free certificates
Let's Encrypt, launched 2015, issues free certificates to hundreds of millions of sites (Let's Encrypt / ISRG)

SSL, TLS, HTTPS: sorting out the names #

The terminology is a mess, so let's settle it. SSL (Secure Sockets Layer) was the original encryption protocol from the 1990s. It was replaced by TLS (Transport Layer Security), and every modern connection actually uses TLS 1.2 or 1.3 — the SSL protocols themselves are obsolete and disabled everywhere. But the industry kept saying SSL certificate out of habit, so the terms are used interchangeably; when a hosting company sells you SSL, you are getting TLS. HTTPS is simply HTTP running over a TLS connection — the S means secure. The certificate itself is not the encryption; it is the identity document that makes trustworthy encryption possible. It binds your domain name to a cryptographic key pair and carries a signature from a certificate authority (CA) that browsers already trust. Without that chain of trust, encryption alone would be pointless — you could have a perfectly private conversation with an impostor.

How does the TLS handshake work in plain English? #

Think of the handshake as a fast, automated ritual before any real data moves. 1) Your browser contacts the server and says which encryption methods it supports. 2) The server sends back its certificate, which contains its public key and a CA's signature vouching for the domain. 3) The browser checks the signature against its built-in list of trusted CAs, confirms the certificate matches the domain and has not expired. 4) Browser and server then use public-key cryptography to agree on a fresh, one-time session key that only they know — even someone recording the entire exchange cannot derive it. 5) All further traffic is encrypted with that session key. On TLS 1.3 this completes in a single round trip, adding only milliseconds. The elegant part is the division of labor: slow public-key math secures the introduction, then fast symmetric encryption carries the actual conversation.

What the padlock actually promises (and what it doesn't) #

The padlock icon makes three specific promises: the connection is encrypted, the data was not altered in transit, and you are talking to a server that controls the domain in the address bar. Those guarantees matter — they stop coffee-shop Wi-Fi snooping, ISP injection, and man-in-the-middle attacks. But the padlock does not promise the business behind the site is honest. Phishing sites routinely use valid free certificates; scam-a-site.com can be perfectly encrypted while stealing card numbers. This is worth explaining to your staff and customers: encrypted is not the same as legitimate. The flip side is what a missing padlock costs you. Chrome has flagged every plain-HTTP page as Not secure since 2018, and form pages trigger stronger warnings. For a local business, a security warning on the contact form is a conversion killer — visitors do not parse the technical nuance, they just leave. The padlock is table stakes, not a trust badge.

DV, OV, and EV certificates compared #

Certificates come in three validation tiers. Domain Validation (DV) proves only that the applicant controls the domain — verification is automated and takes minutes. Organization Validation (OV) adds a manual check that the requesting company legally exists. Extended Validation (EV) is the strictest vetting and once earned a green bar showing the company name in browsers. Here is the part the certificate industry does not advertise: browsers removed the distinctive EV visual treatment years ago, so DV, OV, and EV all display the identical padlock. The encryption strength is also identical across all three — validation tier changes what is verified about you, not how the connection is protected. Our guidance: DV is the right answer for the overwhelming majority of small business websites, including e-commerce. OV/EV still appears in enterprise procurement checklists and some compliance regimes, and that is a legitimate reason to buy one. Improving customer trust is not — customers cannot see the difference.

Do I need to pay for an SSL certificate? #

For almost every small business: no. Let's Encrypt, a nonprofit certificate authority launched in 2015, issues DV certificates free, and its 90-day certificates renew automatically on any decent host — set up once, never think about it again. The certificates are trusted by every browser and cryptographically equivalent to paid alternatives. So what are paid certificates selling? Longer validity terms, OV/EV validation, warranty amounts that have essentially never paid out in practice, wildcard convenience (though Let's Encrypt offers free wildcards via DNS validation), and support contracts. There is one paid thing worth watching for in reverse: hosts that charge $50-100 a year for basic SSL are charging you for something the industry gives away, and we treat that as a red flag about the host generally. Our managed hosting provisions and auto-renews Let's Encrypt certificates as a matter of course. The realistic risk with free certificates is not quality — it is a broken auto-renewal going unnoticed, which monitoring solves.

Is HTTPS really a Google ranking signal? #

Yes — Google confirmed HTTPS as a ranking signal in 2014, one of the few times it has ever announced a factor explicitly. Keep the size of the effect honest, though: Google described it as a lightweight signal, a tiebreaker rather than a rocket. Migrating to HTTPS will not leapfrog you past better content. The indirect effects are larger than the direct one. Chrome's Not secure labeling drives bounce behavior that feeds back into performance metrics. HTTP/2 and HTTP/3, which meaningfully speed up page loads, are effectively HTTPS-only in browsers — so staying on HTTP locks you out of free performance. Referral data from HTTPS sites is stripped when landing on HTTP pages, muddying your analytics. And browsers increasingly restrict features like geolocation to secure contexts. In 2026 the practical question has inverted: HTTPS is not an optimization, it is the baseline, and its absence is an active penalty across rankings, conversions, and analytics simultaneously.

Mixed content: the most common HTTPS bug #

Mixed content is what happens when an HTTPS page loads some resources — images, scripts, stylesheets — over plain HTTP. Browsers respond in two ways: passive mixed content like images may load but breaks the padlock, while active mixed content like scripts is blocked outright, which can visibly break your site. This is far and away the most common issue after an HTTPS migration, and it usually comes from hardcoded http:// URLs in old page content, theme files, or database entries. The fix is systematic: 1) update the site URL setting to https; 2) search-and-replace http://yourbusiness.com with the https version across the database; 3) check third-party embeds — old widgets and tracking scripts are frequent offenders; 4) as a safety net, send a Content-Security-Policy header of upgrade-insecure-requests, which tells browsers to automatically upgrade stray HTTP references. Your browser's developer console lists every offending resource on a page, so diagnosis takes seconds once you know to look.

How to check any site's certificate #

You can inspect a certificate in any browser by clicking the padlock, but the command line gives you more detail and is scriptable. The openssl command shown here answers the questions that matter operationally: who issued the certificate, which names it covers, and — most importantly — when it expires. The curl variant is a quick one-liner for spotting problems: an expired or misconfigured certificate produces a clear error instead of page content. Two things to check beyond your homepage: subdomains, which need their own coverage unless you use a wildcard certificate, and the full certificate chain — a server that fails to send intermediate certificates will work in some browsers and fail in others, one of the more maddening bugs to diagnose. If you would rather not memorize commands, our free Website Grader includes certificate validity and expiry in its checks, which doubles as a free early-warning system.

Inspect a certificate
echo | openssl s_client -connect yourbusiness.com:443 -servername yourbusiness.com 2>/dev/null | openssl x509 -noout -issuer -subject -dates

# Quick check: fails loudly if the cert is invalid
curl -sSI https://yourbusiness.com | head -n 1

HSTS, renewals, and when to hand it off #

Two finishing touches separate a correct HTTPS setup from a checkbox one. First, redirect all HTTP traffic to HTTPS with permanent 301 redirects — one canonical version of every URL. Second, consider HSTS (HTTP Strict Transport Security), a response header telling browsers to refuse plain-HTTP connections to your domain for a set period. It closes the small window where a redirect could be intercepted. Deploy it carefully: start with a short max-age and only add the preload directive once you are certain every subdomain serves HTTPS, because HSTS mistakes are sticky by design. The ongoing work is mostly vigilance — renewals that silently fail, chains that break after a server change, new subdomains launched without coverage. Our managed hosting treats all of this as our problem: automated issuance and renewal, expiry monitoring, redirect and HSTS configuration, and mixed-content cleanup during migrations. If you run your own stack, the single highest-value habit is independent certificate-expiry monitoring with alerts that reach a human.

FAQ

What does an SSL certificate actually do?

It does two jobs: proves to browsers that your server legitimately controls your domain, and enables the encrypted TLS connection that keeps data private and untampered in transit. Together those power HTTPS and the padlock icon. It does not vouch for your business practices — it secures the pipe, not the merchant.

Are free SSL certificates from Let's Encrypt safe?

Yes. Let's Encrypt certificates use the same encryption standards as paid certificates and are trusted by every major browser. They validate domain control only and renew every 90 days, which good hosts automate. The main operational risk is a failed auto-renewal going unnoticed, so pair free certificates with expiry monitoring.

Does HTTPS improve Google rankings?

Yes, modestly and directly — Google confirmed it as a ranking signal in 2014 — and more significantly through indirect effects. HTTPS unlocks faster protocols like HTTP/2, avoids Chrome's Not secure warning that drives visitors away, and preserves referral data in analytics. Treat it as a mandatory baseline rather than an SEO tactic.

Why does my site say Not secure even though I bought a certificate?

The usual culprits: the certificate is installed but the site still serves pages over HTTP without redirecting, the page loads mixed content such as images or scripts via http://, the certificate covers a different hostname (www vs. non-www), or it has expired. The browser developer console will name the exact resource or error.

What is the difference between SSL and TLS?

TLS is the modern successor to SSL — the original SSL protocols are obsolete and disabled in all current software. Every padlock you see today is TLS 1.2 or 1.3. The industry still says SSL certificate out of decades of habit, so in practice the two terms refer to the same thing.

Do I need an EV certificate for my business?

Almost certainly not. Browsers no longer display the special EV indicator, so visitors see the identical padlock for a free DV certificate and a $200+ EV one, and the encryption is the same. EV or OV only makes sense if a compliance framework, insurer, or enterprise customer contract specifically requires organizational validation.

Was this helpful?