Skip to main content

SSL

SSL Certificates: A Plain-English Guide

What they are, the types available, and how to choose one.

Quick answer

An SSL/TLS certificate is a digital file that proves your website owns its domain and enables encrypted HTTPS connections. Browsers trust it because a recognised Certificate Authority issued and signed it.

SSL certificates authenticate your website's identity and enable HTTPS encryption. They come in different validation levels and coverage scopes, but for most sites a free, automatically renewed domain-validated certificate is perfect.

Check your website

See how your site handles ssl certificates: a plain-english guide — free, no account needed.

For business owners

A certificate is what turns on the padlock and removes the "Not secure" warning. You do not usually need an expensive one — a free domain-validated certificate encrypts traffic exactly as well as a premium product. The main reasons to pay are organisation validation (your company name is verified) or a warranty. For most small businesses, free and automatic is the right answer.

How it works (technical)

A certificate binds a public key to a domain name and is signed by a Certificate Authority (CA) that browsers already trust. There are three validation levels:

  • Domain Validation (DV) — proves control of the domain; issued in minutes, often free.
  • Organisation Validation (OV) — the CA verifies your business exists.
  • Extended Validation (EV) — the most rigorous vetting.

Coverage can be single-domain, wildcard (*.example.com), or multi-domain (SAN).

Real-world example

An agency managing 40 client sites replaced manual annual certificate purchases with automated Let's Encrypt certificates that renew every 60 days. They eliminated the recurring "the certificate expired and the site is down" emergency that used to hit a client or two every year.

Why it matters

An expired, self-signed, or mismatched certificate produces a full-page browser error that blocks every visitor. Certificate health is one of the highest-impact items in any trust or uptime scan.

How to fix it

  1. Choose a certificate type — DV is fine for most sites; use OV/EV only if you specifically need verified identity.

  2. Get the certificate: use your host's built-in Let's Encrypt integration or a CA of your choice.

  3. Install it and bind it to the correct domain(s), including the www and bare-domain variants.

  4. Set up automatic renewal so it never expires.

  5. Verify the full certificate chain is served (leaf + intermediates), not just the leaf certificate.

Best practices

  • Automate renewal — most outages come from forgotten manual renewals.

  • Cover both www and non-www hostnames.

  • Serve the complete intermediate chain to avoid "incomplete chain" errors on some devices.

  • Monitor expiry dates and alert well before they lapse.

Common mistakes

  • Letting a certificate expire — the most common and most damaging error.

  • Serving a certificate for the wrong hostname (e.g. covers www but not the bare domain).

  • Using a self-signed certificate in production, which browsers reject.

  • Forgetting the intermediate certificates, causing errors on some clients.

Frequently asked questions

How much does an SSL certificate cost?

It can be free. Let's Encrypt and many hosts issue trusted certificates at no cost. Paid certificates add identity validation or warranties, not stronger encryption.

How long do certificates last?

Publicly trusted certificates are increasingly short-lived — often 90 days or less — which is why automated renewal is essential.

What is a wildcard certificate?

One certificate that covers all subdomains of a domain, such as blog.example.com and shop.example.com under *.example.com.

Put this into practice

See how your site scores with Plexa Trust — start with a free scan, then unlock the complete audit on Pro.

Scan your website free

See Pro plans · Create account