What Is an SSL Certificate? Definition and Importance

In the early days of the internet, all website requests and responses were transferred in “plain text.” This meant they were potentially viewable by digital eavesdroppers, making it risky to transmit things like login credentials, credit card numbers, and other sensitive personal information. 

In the mid-1990s, Netscape developed a security protocol for encrypting confidential information for delivering and transferring web content. This protocol was called SSL (Secure Sockets Layer) and would later evolve into another protocol, called TLS (Transport Layer Security). 

While SSL and TSL differ in terms of their capabilities and architecture, they both provide security through the use of a digital technology called an SSL certificate. 

What is an SSL certificate?

An SSL certificate is a digital certificate that authenticates a website’s identity and creates an encrypted connection between it and a browser.

Sometimes called SSL/TLS certificates, digital certificates, or simply certs, they protect the identity of the remote connection and make online interactions private.

They ensure that no one can read or modify content shared over the secure connection except the sender and recipient. An SSL certificate acts both like a passport to verify the website owner’s identity and like a key to keep user data secure via strong encryption.

What is an SSL certificate authority (CA)?

SSL certificates are issued by organizations called certificate authorities (CAs). A CA is a trusted third-party organization that guarantees a website’s identity. They are trusted because they are few in number, well known, and must clear high barriers to entry. There are just over 100 CAs worldwide, and they undergo regular audits.

Before issuing a certificate, the CA verifies the certificate requester’s information, like site ownership, name, location, and more, according to established industry standards. The CA digitally signs the certificate with its own private key, enabling clients to verify it. To provide this service, most CAs charge a small annual fee (although free SSL certs are available from some web hosts and nonprofit CAs).

The SSL certificate is a small digital file, typically a few kilobytes, installed on the server supporting TLS and shared with others. This file contains:

• The domain name of the site for which the cert was issued
• The organization to which it was issued (the certificate holder)
• The name of the issuing certificate authority 
• The certificate authority’s digital signature
• Any associated subdomains
• The certificate issue date and expiration date 
• The public key (the private key is not shared)

Whenever you use a browser to connect to a URL beginning with “https,” or see a green padlock icon in the browser address bar, you know you have a secure TLS connection verified by an SSL certificate issued by a CA. Clicking on the padlock icon will display additional information about the SSL certificate, the domain owner, and the connection.

While this padlock means that your connection to the site is secure, it does not necessarily mean the site is safe. Just because you can connect securely to a site doesn’t mean it’s not controlled by nefarious actors.

How do SSL certificates work?

An SSL certificate uses encryption algorithms to scramble data in transit. This ensures that any data transferred between a browser and a website remains impossible for a third party to read.

Secure communication over TLS relies on two certificates—one public and one private—to create a secure connection. 

When a browser attempts to connect to a website secured with TLS, that communication is established by a “handshake,” or back-and-forth communication that only takes a few milliseconds. The steps in this handshake are:

1. The client (browser) connects to the SSL-secured website (server).
2. The client asks the server to identify itself.
3. The server sends over a copy of its SSL certificate.
4. The client examines the SSL certificate for trustworthiness and signals to the server if it passes.
5. The server initiates a digitally signed agreement to start an SSL-encrypted session.
6. Encrypted data now flows freely and safely between the browser and the server.

The initial handshake uses asymmetric encryption based on public and private keys. After validation, the client and server exchange temporary private keys used only for the session. This allows for more efficient encryption and decryption.

Types of SSL certificates

• Domain validated (DV) certificate
• Organization validated (OV) certificate
• Extended validation (EV) certificate

You’ll want to choose the right SSL certificate to get the most out of SSL. Different SSL certificates serve different purposes and have different costs to consider:

Domain-validated (DV) certificate

Cost: $0–$99 per year

A DV SSL certificate involves a minimal, automated identity verification, establishing only that the owner has control over the domain or subdomain. This is usually accomplished by email.

A DV SSL certificate is the least expensive way to obtain a cert, and most free SSL certificates are of this type. However, it represents the lowest standard of website security. DV certificates are useful for blogs, individual websites, small businesses, or any site with the most basic security needs. 

Organization-validated (OV) certificate

Cost: $100–$999 per year

An OV SSL certificate offers a stronger guarantee of the identity of the bearer. In order to obtain an OV certificate, the purchaser must pass nine validation checks.

This is a mid-level business certificate, and the issuing CA guarantees that the organization affiliated with the certificate is valid and in good standing. This is a good approach for businesses not conducting financial or ecommerce transactions through their site.

Extended validation (EV) certificate

Cost: $1,000+ per year

An EV SSL certificate represents the highest level of identity verification, making it most suitable for corporations, financial entities, and ecommerce websites. Sixteen validation checks are involved, including both legal identity and physical location.

The end user sees a green browser bar, indicating the highest level of verification, as well as additional corporate information behind the padlock.

The difference between HTTP and HTTPS

HTTP stands for Hypertext Transfer Protocol. It sends information between a website and its visitors in plain text that anyone can intercept and read. Think of it as sending a postcard through the mail. Anyone who handles the postcard—like mail carriers or sorting facility workers—can read what’s written on it. 

HTTPS stands for Hypertext Transfer Protocol Secure. It uses SSL/TLS certificates to create encrypted connections. Any data being transmitted—such as credit card numbers or passwords—are scrambled into complex code that only your website and the visitor’s browser can decrypt. Think of it as sending that postcard again, but in a locked briefcase to which only you and the receiver have the key. 

HTTPS has become standard now. Modern browsers show a padlock icon for HTTPS sites, giving visitors confidence that your website is legitimate and secure. They will mark HTTP sites as “Not Secure,” which can immediately turn away potential customers. 

What to do if your SSL certificate is compromised

Learning that your SSL certificate has been compromised is like finding out someone copied your house key. It’s serious, but there’s a way to fix it:

• Respond immediately. Revoke your compromised certificate immediately through your Certificate Authority (CA). Take down your website temporarily if you suspect active attacks.
• Investigate the breach. Alert your security provider and figure out how the certificate was compromised. Check your server logs for unusual activity and look for signs of unauthorized access or malware, like connection attempts from unusual IP addresses or multiple failed certificate validation attempts.
• Get a new certificate. Request a new SSL certificate from your CA. Generate a new private key (super important—don’t reuse the old one!). Then, install and configure the new certificate on your servers.
• Strengthen your ecommerce security. Consider switching to a more secure type of certificate. Set up automated monitoring to catch future issues faster.

💡 Shopify Protect makes fraud prevention one less thing to worry about. With fraud detection algorithms that flag high-risk orders and chargeback protection that manages the dispute process for a fraudulent transaction, enable Shopify Protect today to keep your business safe.

What if you need to secure multiple domains?

A single SSL certificate secures a single domain name. However, many businesses need a solution that secures multiple domain names or subdomains. For these businesses, the SSL protocol provides two different solutions: a wildcard SSL certificate or a multi-domain SSL certificate. Here’s how they differ:

Wildcard SSL certificate

Some businesses use multiple subdomains (e.g., mail.example.com, shop.example.com) to serve different functions on the same website. For these organizations, the best SSL solution is typically a wildcard SSL certificate. A wildcard SSL certificate secures a website’s primary domain, as well as any associated subdomains, reducing costs and simplifying administration.

Multi-domain SSL certificate

While wildcard SSL certificates help a website owner secure subdomains within a single domain, multi-domain SSL certificates (MDC) can secure multiple domain names at once. Additional domains can be added to a multi-domain cert via “subject alternative names” (SANs) without the need to acquire an additional single-domain SSL certificate. Multi-domain SSL certificates are sometimes known as unified communications certificates (UCC).

What happens when an SSL certificate expires?

When an SSL certificate expires, it’s like having a trust badge taken away from your business. Here are some of the consequences:

• Scares away visitors. Visitors trying to access your website will see scary warning messages in their browsers. Chrome might show a big red screen saying, “Your connection is not private,” while Firefox warns visitors that the connection is not secure. Most people will quickly hit the back button when they see these warnings.
• Harms SEO capabilities. Search engines like Google don’t like expired SSL certificates either, and they’ll likely drop your website’s ranking in search engine results, since they prioritize secure websites. This means fewer people will find you through online searches.
• Hurts consumer trust. When customers see security warnings, they’ll question whether sharing their credit card information or personal details on your site is safe. Some customers might think twice before returning, even after you fix the certificate.

💡 The good news: Certificate expiration dates are predictable. They’re right there on your SSL certificate. Most certificates last for one year, though some providers offer two-year certificates. The smart move is to renew your certificate at least a few weeks before it expires.

How to get an SSL certificate

Acquiring single- or multi-domain SSL certificates and securing user data on your website can be complex. Here’s how to do it:

1. Determine the level of website security you need. Choose between DV, OV, or EV SSL. (If you have multiple domains or subdomains, you may need to add or substitute a wildcard or MDC cert.) Review your organizational needs and budget and choose the appropriate level of identity verification.
2. Determine the domains and subdomains to be supported. If you have only one, you may not need to obtain a wildcard certificate.
3. Choose a certificate authority/provider. If you have a low-maintenance website or blog, you may just need to work with your web hosting service and obtain a free cert. Multi-domain and EV certs will involve a paid relationship with a certificate authority, in which case, it’s wise to shop around.
4. Generate a certificate signing request (CSR). A CSR file contains information about your domain and organization, and it is used by the certificate authority (CA) to generate your SSL certificate. The CSR includes your public key and must be submitted to the CA when applying for the SSL certificate.
5. Request a certificate from your chosen SSL provider. This generally involves filling out web forms and making payments.
6. Verify ownership and other details. The CA will follow up to verify the information you submitted in your application, at a minimum requiring email verification of domain ownership.
7. Obtain and install the certificate. Depending on the CA you choose and your web platform, you will download a ZIP file containing the public key, a private key, and a certificate authority bundle. If you are working with a commercial web host, the administration console for your site will usually include tools for certificate installation; if you are working on your own hardware, follow that environment’s documentation.
8. Configure other apps to use the certificate. If you intend to support SSL connections to other server applications (e.g., WordPress, email, etc.), configure them to use your certificate and the TLS protocol.
9. Confirm your secure connection is working. Connect to your website and/or other apps and ensure a secure connection. Click on the padlock and review the information displayed in your browser.
10. Submit your site(s) to search engines. Your new “https” websites are distinct from your old “http” sites. If your users rely on search engines to find you, you must re-submit your new https web address to get your web pages indexed.