An SSL certificate is absolutely necessary for anyone who wants to get the most out of their blog, or website, so I’ve written an ultimate guide for you here. We will cover the basic questions like “what is an SSL certificate?”, “why do I need one?”, “how do I get it?” and (literally) every question I could think of concerning SSL certificates.
I’ve researched my information from a variety of reputable sources to ensure that this is, truly, the SSL Certificate Ultimate Guide. I broke the information up into small, skimmable, bits of information to help you find the exact information that you need. So let’s get started…
- What is SSL and what is an SSL certificate?
- Why is SSL important?
- Are there different types of SSL certificates? Yes…
- What type of SSL certificate do I need?
- Is a free certificate by Let’s Encrypt good enough? No…
- Where can I get an SSL certificate? I’m glad you asked…!
- How do I renew my SSL certificate? Easy…
- What problems could I face when I switch to HTTPS?
- How to install an SSL certificate?
- How do I know my SSL certificate is installed correctly? Check online…
- Can I transfer my SSL certificate to another hosting account? Yes…
- How will my readers and customers know my website is secure? Tell them…
- “I need help with my SSL certificate.” – I’m here for you…!
- SSL Certificate Giveaway contest!
What is SSL and What is an SSL Certificate
SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. – SSL.com
SSL is what keeps your browser’s communication with a website private and secure and is absolutely necessary for sites that do banking or online payments of any kind. This includes blogs that have an eCommerce plugin installed.
Think of an SSL certificate as an electronic passport that ensures the webserver is who it says it is, and that the connection to that web server is secure.
Why is SSL Important
SSL is important because it builds trust. Knowing that your favorite brand has an SSL certificate on their website gives peace of mind that your personal information is safe to share with them. On the other hand, knowing that your favorite brand does not have an SSL certificate (or, worse, has one that is invalid) can cause you not to trust them with your personal information – perhaps to the point where you don’t feel safe shopping with them online.
The reason your audience comes to you is because you have a purpose for your blog, a message to share with them. And they trust what you say. You owe it to your audience to give them a secure experience on your website.
SSLShopper.com also explains that SSL provides a form of authentication. Basically, an SSL certificate verifies that you’re connected to the right server (if you weren’t, your browser would know because the certificate would be invalid).
Browsers are starting to flag any website that does not have a certificate as unsecure. Did you read that? Go back and read it again.
This is just as big of a reason as any why SSL is important. As Troy Hunt has pointed out, “[SSL] adoption has reached the tipping point … where it’s gathering enough momentum that it will very shortly become “the norm” rather than the exception”.
WordPress Will Begin Requiring SSL in 2017
In December 2016, WordPress.org released a statement that they would start requiring SSL early in 2017. While they have not yet specified a date – because browsers are now treating websites as insecure without a certificate, getting an SSL certificate on your WordPress website even more important. CodeInWP.com recently determined that WordPress accounts for 27% of the websites hosted on the entire internet! Therefore, soon 27% of all websites will be required to have a certificate and if you’re reading this there’s a good chance your website is one of them!
Having an SSL Certificate Boosts your SEO Ranking
ahrefs.com, among many other sources online, describes that using HTTPS is one of many small pieces to the SEO puzzle. An SSL certificate on your website allows you to use HTTPS on your website without error. But ahrefs.com goes on to say, in that article, that how you implement SSL on your website is also important. Checkout ahrefs.com to learn exactly how to configure your blog for HTTPS in an easy-to-follow format that’s easy to understand.
Are There Different Types of SSL Certificates
There are 3 different types of SSL certificates, as described by globalsign.com. Each type serves a different level of security and builds on the security provided by the one in the previous level.
Domain Validation (DV)
- Level 1: Validation of the domain name only
Domain Validation is the most basic type of SSL certificate. This is also the least expensive option. Let’s Encrypt is a popular vendor for DV certificates (and they’re also free!). A DV certificate validates that the owner of the certificate has a right to use that domain name.
Organization Validation (OV)
- Level 2: Additional validation of the organization
Organization Validation is the “middle tier” of validation for SSL certificates. This level of validation includes vetting of the organization itself.
Extended Validation (EV)
- Level 3: Extended Validation of the organization
Extended Validation is the most strict validation of SSL certificates. EV certificates verify the physical existence of the certificate owner (usually by involving the physical mailing address in the vetting process) as well as validating the identity of the owner against official records.
What Type of SSL Certificate Do I Need
A certificate with Domain Verification (DV) is a great way to get your feet wet with SSL and let your readers know your website is secure. A DV certificate is sufficient for a simple blog (and if your webhost supports Let’s Encrypt, your certificate will be free!).
A certificate with Organization Validation (OV) tells your customers that your website actually belongs to your business instead of some phishing scammer. This type of certificate is good for small businesses. Typically, the browser will display a padlock in the address bar.
A certificate with Extended Validation (EV) is typically used by banks, hospitals, large retailers and anyone who wants the “green address bar” for maximum visibility of your website’s security.
Is a Free Certificate from Let’s Encrypt Good Enough
- Technically, yes – if your platform requires SSL and you are not able to complete the Organization Validation process.
- Otherwise, No – and neither are the DV certificates you have to pay for.
If – and this is a big “if” – you are not able to complete the Organization Validation for some reason then having a certificate with Domain Validation is better than no certificate at all. Essentially, you’re meeting the minimum requirements of Google Search SEO rules, and WordPress and you’re adding a very basic layer of security to your website.
But your website technically is not any safer than it would be without an SSL certificate. Allow me to explain…
Let’s Encrypt issues Domain Validation (DV) SSL certificates so the connection between your browser and the web server is secure. However, since only the domain is verified – and not ownership of that domain – your customers and readers have no way of knowings it’s actually your server they are talking to. The validation process of OV or EV certificates requires a third party to get involved – increasing the legitimacy of your certificate.
Hackers could use the “secure” connection provided by a DV certificate to be a “wolf in sheep’s clothing”. They can do this because they don’t have to validate that they are you.
Your customers would think they are secure when they really aren’t. This false sense of security is more dangerous than not having a certificate on your website.
There’s only 1 scenario that makes a DV certificate “good enough”. If you can guarantee 100% success on these 3 points. all. the. time.:
- The domain in your own address bar is always correct.
- You will never ask your customers, or readers, for anything on your website or blog; including their email address (yeah subscribers!).
- Your web hosting account and the server it’s hosted on will never get hacked (remember, server admins are human too).
If you cannot guarantee all 3 of those statements will always be true about your website, or blog, then you need to seriously reconsider using a DV certificate.
It boils down to your customers being able to trust you. I am not alone in this assessment of DV certificates: DigiCert actually refuses to sell DV certificates because they do not consider them guaranteed secure. (Source: Domain Validation vs High Assurance). They point out that you don’t even have to get hacked for you, or your customers, to become a victim. A man-in-the-middle attack could potentially be used to gain access to your “secure” connection if you have anything less secure than an EV certificate.
Where Can I Get an SSL Certificate
An SSL Certificate can be purchased almost anywhere online. Some of the trusted sites you can buy them from include NameCheap.com and RapidSSLOnline.com. Name Cheap also sells an array of products related to web hosting, website security, etc. But my favorite “extras” that Name Cheap provides is Domain Name purchasing and DNS Hosting. DNS hosting is used for your DNS records (the things that tell your browser where to find your website on the internet).
How do I Renew an SSL Certificate
What problems could I face when I switch to HTTPS
Claire Brotherton, of A Bright Clear Web, explains some of the problems you could face when switching to HTTPS. If not done right, your blog could lose all of its social media share data, and Google Analytics referral data, because of the link change. There is also the potential for problems with 301 redirects and trying to use SSL via a Content Delivery Network (CDN).
Claire has done a great job of explaining how to work through some of those problems. Her suggestions are easy to follow and super important to us bloggers!
How to Install an SSL Certificate
No matter what environment your website is hosted on you must have bought an SSL Certificate before you can start. The only exception to that rule is if you’re settling for an SSL certificate from “Let’s Encrypt”. In that case, you must first verify that your webhost supports Let’s Encrypt.
- Any SSL certificate that is FREE is most likely using Domain Validation (DV) only and is merely a formality to benefit SEO and minimum platform requirements and is not a good form of security.
DigiCert has put together a set of separate SSL instructions for an extensive list of web hosting environments.
How to Install an SSL Certificate on WordPress
If you choose to settle for a less secure DV certificate from Let’s Encrypt, you can use the free WordPress Plugin WP Encrypt to generate a certificate. Be aware that some PHP modules are necessary, which your webhost may or may not allow, and that this plugin does not actually enable HTTPS for your blog.
The Really Simple SSL plugin gives you a way to install any certificate you’ve purchased and will even redirect all traffic to HTTPS for you.
How to Install an SSL Certificate on Blogger
If you choose to settle for a less secure DV certificate, Blogger offers free certificates to their users under their HTTPS settings. If you’re using a custom domain, you can enable HTTPS using CloudFlare CDN.
How Do I Add a Site Seal to My Website?
If you’ve purchased an SSL certificate with Organization Validation (OV) or Extended Validation (EV), your vendor most likely provided you with instructions on how to add the Site Seal to your website.
For WordPressers, you often need to paste an HTML snippet somewhere into your admin area. I would recommend using the Simple custom CSS and JS plugin, for WordPress. While my instructions for that plugin are specific to CSS, there is also an option in that plugin to add HTML snippets as well.
How Do I Know my SSL Certificate is Installed Correctly
There are tons of online tools to check that your SSL certificate is installed correctly, and is valid. Some of them even offer to remind you when your certificate is about to expire so you don’t forget to renew it.
But not all of these tools are recommended. A DV certificate is used to “secure” some of these tools (see “Is a Free Certificate from Let’s Encrypt Good Enough“) so you don’t know if you can trust them. Some of them will tell you everything is secure when, in fact, you are relying on a DV certificate.
That is why I recommend the thawte CryptoReport. It tells you if your certificate can truly be trusted and even offer information about a handful of vulnerability checks.
If you’re testing a DV certificate, thawte will warn you:
This server uses a Domain Validated (DV) certificate. No information about the site owner has been validated. Data is protected, but exchanging personal or financial information is not recommended. – thawte CryptoReport
Can I Transfer an SSL Certificate to Another Hosting Account
SSL Shopper has a great guide for transferring certificates from, and to, a variety of web hosting environments.
How Will my Readers and Customers Know my Website is Secure
Websites that have an Extended Validation (EV) SSL certificate will show proof of identity right in the address bar.
While Organization Validation (OV) SSL Certificates do not turn the address bar green, they do display Organization information in the address bar to show the more thorough vetting of the OV certificate has taken place.
If your address bar only shows the word “Secured”, with no organization information, it is because the certificate only has Domain Validation (DV).
I Need Help with my SSL Certificate
There is a lot out there that we can learn about SSL certificates. That’s obvious just by scanning over this article. If you find yourself freaking out and not knowing what to do, that’s OK. I get it. This geeky stuff can be really scary, especially when words like security or hacker come up.
If you need a helping hand, I would be more than happy to assist in any way I can. Just drop me a line in the comments or contact me. Even if you just need a few questions answered to help you make the right choice about an SSL certificate for your website.
If you’ve found this article helpful, overwhelming, useful, or useless, I would really appreciate you telling me in the comments. All this information is too important for people like us to just glaze over and ignore – so help me make this resource the best we can by giving me your feedback in the comments!
Come back every day to earn more points and become the giveaway winner!