SSL Certificate Setup

How to secure your website with an SSL certificate for better security and SEO.

Introduction to SSL Certificates

An SSL (Secure Sockets Layer) certificate is a digital certificate that authenticates your website's identity and enables an encrypted connection. When your website has an SSL certificate, the URL begins with "https://" instead of "http://" and displays a padlock icon in the browser address bar.

Benefits of SSL Certificates

  • Security: Encrypts data transmitted between your website and visitors
  • Trust: Shows visitors your site is secure, building credibility
  • SEO: Google gives ranking preference to secure HTTPS websites
  • Browser Compatibility: Avoids "Not Secure" warnings in modern browsers
  • Payment Processing: Required for websites accepting online payments

What You'll Need

  • A registered domain name
  • Active web hosting account with access to the control panel
  • Access to your domain's DNS settings (if using external DNS)

Types of SSL Certificates

There are several types of SSL certificates, each offering different levels of validation and security:

Certificate Type Validation Level Best For Typical Cost
Domain Validated (DV) Basic - Verifies domain ownership only Blogs, personal websites, small businesses Free - $50/year
Organization Validated (OV) Medium - Verifies organization details Business websites, e-commerce sites $50 - $150/year
Extended Validation (EV) High - Rigorous organization verification Financial institutions, large e-commerce sites $150 - $500+/year
Wildcard SSL Varies - Covers main domain and unlimited subdomains Websites with multiple subdomains $100 - $700+/year
Multi-Domain (SAN) Varies - Covers multiple domains Businesses with multiple websites $100 - $500+/year

For Beginners

For most personal websites and small businesses, a free Let's Encrypt SSL certificate or a basic Domain Validated SSL is perfectly adequate and secure.

Setting Up SSL: Common Methods

Method 1: Using Let's Encrypt (Free SSL)

Let's Encrypt provides free, automated SSL certificates. Most modern hosting providers offer one-click Let's Encrypt integration.

With cPanel Hosting:

  1. Log in to your cPanel account
  2. Find the "Security" or "SSL/TLS" section
  3. Look for "Let's Encrypt SSL" or similar option
  4. Select your domain from the list
  5. Click "Issue" or "Install"
  6. The certificate will be automatically installed and configured
Screenshot of Let's Encrypt SSL option in cPanel

Example of Let's Encrypt SSL option in cPanel

With Other Hosting Providers:

Most popular hosting providers have their own implementation:

  • SiteGround: Go to Site Tools > Security > SSL Manager
  • Bluehost: Access My Sites > Manage Site > Security tab > SSL certificate
  • HostGator: Navigate to the SSL section in your control panel
  • Dreamhost: SSL/TLS Certificates in the panel sidebar

Let's Encrypt Certificates Expire After 90 Days

Don't worry—most hosting providers automatically renew Let's Encrypt certificates before they expire. Check with your provider to confirm this is the case.

Method 2: Installing a Purchased SSL Certificate

If you've purchased an SSL certificate from a provider like Comodo, DigiCert, or GoDaddy, you'll need to install it manually. This is a more complex process that generally involves these steps:

  1. Generate a CSR (Certificate Signing Request)
    • Log in to your hosting control panel
    • Find the SSL section and look for "Generate CSR"
    • Fill in the required information (domain, organization, location)
    • Submit and copy the generated CSR code
  2. Purchase and Activate Your SSL Certificate
    • Submit the CSR to your SSL provider
    • Complete the verification process required by your provider
    • Download the issued certificate files
  3. Install the Certificate
    • Return to your hosting control panel's SSL section
    • Find the "Install SSL Certificate" option
    • Upload or paste the certificate files (typically CRT, CA Bundle, and Private Key)
    • Submit and wait for installation to complete

Important Note About Private Keys

Never share your private key with anyone! This is a sensitive file that should remain secure on your server.

Method 3: Using Cloudflare (Free SSL Alternative)

Cloudflare offers a free plan that includes SSL protection without needing to install a certificate on your server:

  1. Create a free Cloudflare account at cloudflare.com
  2. Add your website to your Cloudflare account
  3. Update your domain's nameservers to point to Cloudflare's nameservers
  4. In the Cloudflare dashboard, go to the SSL/TLS section
  5. Set SSL mode to "Flexible," "Full," or "Full (Strict)" depending on your needs

Cloudflare SSL Options

Flexible: Encryption between visitor and Cloudflare only (easiest but not end-to-end)
Full: Encryption along the entire connection, but doesn't verify your server's certificate
Full (Strict): Complete encryption and requires a valid SSL certificate on your server

After Installing SSL: Required Updates

Once your SSL certificate is installed, you need to ensure your website properly uses HTTPS.

1. Set Up Redirects from HTTP to HTTPS

This ensures visitors always use the secure version of your site, even if they type the "http://" version:

Using .htaccess (Apache servers)

Add these lines to your .htaccess file in your website's root directory:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Using Web.config (Windows/IIS servers)

Add these lines in the <system.webServer> section:

<rewrite>
  <rules>
    <rule name="HTTP to HTTPS redirect" stopProcessing="true">
      <match url="(.*)" />
      <conditions>
        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
      </conditions>
      <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
    </rule>
  </rules>
</rewrite>

Using Your Hosting Control Panel

Many hosting providers offer a simple toggle in their control panel:

  • cPanel: Look for "SSL/TLS" > "Redirect HTTP to HTTPS"
  • SiteGround: Site Tools > Site > HTTPS Settings > "HTTPS Enforce"
  • WordPress: If using WordPress, you can change the site URL in Settings > General

2. Update Internal Links and Resources

Make sure all content on your website references the HTTPS version:

  • Update internal links to use HTTPS instead of HTTP
  • Ensure images, CSS, JavaScript, and other resources use HTTPS paths
  • Update hardcoded URLs in your database (for content management systems)

Protocol-Relative URLs

To avoid issues when linking resources, consider using protocol-relative URLs, which work for both HTTP and HTTPS:
Instead of http://example.com/style.css or https://example.com/style.css
Use //example.com/style.css

3. Update External Services

Remember to update any external services that reference your website:

  • Google Analytics or other analytics platforms
  • Google Search Console (add the HTTPS version as a new property)
  • Social media profiles
  • Email signatures and marketing materials
  • API integrations

Testing Your SSL Installation

Basic Tests

  1. Browser Check: Visit your website with "https://" in the URL. Look for the padlock icon.
  2. Redirect Test: Type your domain with "http://" and see if it automatically redirects to "https://"
  3. Certificate Information: Click the padlock icon in your browser to view certificate details

Advanced SSL Testing Tools

Common SSL Problems

Mixed Content Warnings

This happens when your HTTPS page includes HTTP resources. To fix:

  • Use browser developer tools (F12) to identify the insecure content
  • Update all resources to use HTTPS or protocol-relative URLs
  • Check plugins, themes, and widgets for hardcoded HTTP URLs

Certificate Not Trusted

This occurs when browsers don't recognize the certificate authority:

  • Ensure you've installed the intermediate/CA bundle certificates
  • Verify the certificate is from a trusted provider
  • Check if your certificate has expired

Certificate Name Mismatch

This happens when the domain on the certificate doesn't match the website:

  • Ensure the certificate is issued for the exact domain you're using
  • For "www" subdomain, you may need a wildcard or multi-domain certificate
  • Reissue the certificate with the correct domain name

SSL Certificate Expired

Certificates have an expiration date and must be renewed:

  • Let's Encrypt certificates expire after 90 days
  • Commercial certificates typically last 1-2 years
  • Set calendar reminders for renewal or enable auto-renewal

SSL Certificate Maintenance

Renewal

All SSL certificates expire and must be renewed periodically:

  • Let's Encrypt: 90-day validity, usually auto-renewed by hosting providers
  • Commercial SSL: Typically 1-2 year validity, manual renewal required

Renewal Best Practices

Renew your certificate at least a week before expiration to avoid downtime. Many providers send renewal notices by email.

Monitoring

Regularly check your SSL implementation:

  • Set up monitoring tools to alert you about upcoming expirations
  • Periodically run SSL tests to ensure optimal configuration
  • Check for new SSL vulnerabilities and update accordingly

Next Steps

With your SSL certificate properly installed, consider these additional security measures:

  • Implement HSTS (HTTP Strict Transport Security) to enforce HTTPS
  • Configure modern cipher suites for stronger encryption
  • Set up Content Security Policy (CSP) to prevent XSS attacks
  • Learn more about website security with our Website Security Basics guide

Related Guides

Website Security Basics

Protect your website from hackers and security threats.

Read Guide

DNS Settings Explained

Understanding domain DNS settings and how to configure them properly.

Read Guide

Web Hosting Guide

Learn how to choose the perfect hosting provider for your website.

Read Guide

Need Help With SSL Configuration?

Contact us for personalized assistance with securing your website.

Get in Touch