What is an SSL certificate?

As malicious attacks become more widespread, aggressive and advanced, security is becoming more important than ever. While there are hundreds of ways you can increase your site's security, there’s one simple thing everyone should do to get off to a good start – getting an SSL certificate. Server packages such as VPS hosting offer SSL certificates to signify to site users that their data is secure.

So what is an SSL certificate, how does it work, and what are the benefits of being certified?

SSL is short for Secure Sockets Layer and, in practical terms, is a certification that verifies a website and provides a secure connection over the internet – most commonly between a user’s browser and the website they’re visiting. By encrypting that connection, SSL prevents the interception of data during transmission, which keeps data protected and adds even more benefits on top. Websites need SSL certificates to prevent criminals from reading and/or modifying data transferred between two systems, which can include sensitive information such as customer payment data.

If you see SSL referred to as TLS, don’t worry – they’re pretty much the same thing. SSL was the name for the original technology developed back in the 1990s, and since then it’s been replaced by the more advanced TLS protocol. However, the term SSL stuck around, so it’s still industry-standard to refer to modern TLS certificates as SSL certificates. We’ll discuss this in more detail later, but for now, we’ll continue to use the commonly accepted term “SSL” throughout this post.

ⓘ

By the way: All of our Web Hosting packages come with SSL certificates as standard.

What does an SSL certificate do?

As you get a better idea of how SSL works, you’ll understand how much your site can benefit from certification. For starters, an SSL certificate can act as visual confirmation to users that your website is a safe and secure environment. This is especially important if you users are asked to input personal information and payment details.

Similarly, making sure you have an SSL certificate helps to build trust with users, who will immediately recognise your site as legitimate and trustworthy. In fact, 87.5% of websites now employ SSL and HTTPS as their first line of defence.

How does an SSL certificate work?

An SSL certificate works by encrypting your information to ensure unauthorised users can’t get their hands on it. Whether you're exchanging data with a website, servers or between two systems, an SSL ensures that only the intended user can read it. This is especially important for protecting sensitive data such as personal info, addresses, card numbers, or financial data when it's being transmitted.

This is how SSL encryption works in a nutshell:

First, your browser or server tries to connect to a web server that's secured with SSL.
This triggers a request from your browser or server, asking the web server to prove its identity.
In response, the web server sends a copy of its SSL certificate back to your browser or server.
Your browser or server then checks the SSL certificate to see if it's legitimate. If everything checks out, it lets the web server know the site can be trusted.
Once that's done, the web server sends a digitally signed message back to your browser or server, starting an SSL-encrypted session.
From this point on, all the data transmitted between your browser or server is encrypted and protected from prying eyes.

This whole process of exchanging info and verifying things is called an "SSL handshake," and even though it may sound complicated, it happens in a matter of milliseconds. You’ll barely notice it!

What does an SSL certificate show?

You can easily spot websites that use SSL certificates. Their URLs start with "HTTPS" instead of just "HTTP" – that "S" at the end stands for security. Also, you'll see a padlock icon in the URL bar, which is a visual sign that the site is secure.

But what does an SSL contain? When you click on the little padlock, the following is displayed:

The domain name the certificate is issued for.
The individual, company, or device the certificate is issued to.
The Certificate Authority (CA) that issued the certificate, along with its digital signature.
Any subdomains covered by the certificate.
The dates when the certificate was issued and when it expires.
The certificate's public key (the private key is kept secret and secure by the recipient).

What's the difference between SSL vs TLS?

Standing for Transport Layer Security, TLS is a protocol that encrypts data transferred between a web server and user, just like SSL. On the surface of it, there's not really a huge difference between them. They both do the same thing, but TLS is the upgraded, more secure version of SSL and you'll only find the differences when you dive into the really technical details of how they work.

Many providers like us now use TLS encryption because of the security benefits, but it's still industry-standard to refer to them as SSL certificates. Read more in our SSH vs SSL guide.

Is SSL the same as TLS?

People often use "SSL" and "TLS" interchangeably, but they're not exactly the same.

SSL is the older version, and TLS is the newer one and what’s used today. Both of them are cryptographic protocols that were created to ensure communications over computer networks are as secure as possible.

SSL was actually developed by Netscape back in the mid-1990s. It went through various versions as they worked to fix any security issues and make the protocol stronger. Then, the Internet Engineering Task Force (IETF) came up with TLS as an upgrade to SSL 3.0. They released TLS 1.0 in 1999, and it's been evolving since then.

TLS has had a bunch of updates over the years, and the latest version is TLS 1.3, which came out in 2018. Each new version has improved security features and gotten rid of outdated encryption methods that were used in SSL. So, even though people still say "SSL" when talking about secure web connections, the technology we use today is TLS.

Types of SSL certificates

There’s actually more than one type of SSL certificate, and each one has a different level of validation. Let’s take a look at the main types of SSL certificates below:

1. Wildcard SSL certificates

A wildcard SSL certificate lets you secure a base domain and unlimited subdomains. This is perfect for websites with lots of subdomains (e.g. support.yourdomain.com, shop.yourdomain.com or blog.yourdomain.com), as buying a separate SSL for each subdomain could get very expensive.

2. Domain Validated (DV) SSL certificates

Domain Validated SSL certificates are the easiest to obtain and offer the least amount of validation and encryption. They’re suitable for informational websites like blogs but not any sites that require users to input sensitive information, such as ecommerce websites. However, the upside is that they’re more affordable and have a simple one-step validation process, in which the website owner must prove domain ownership by responding to an email or phone call.

3. Extended Validation (EV) SSL certificates

At the other end of the scale, we have Extended Validation SSL certificates – the most secure and trustworthy (and most expensive) option. These SSL are authenticated with 18 validation checks and require extensive vetting of your organisation. Ecommerce sites, global banks and financial services, and any other website handling a large volume of sensitive data should opt for this enhanced protection.

4. Organisation Validated (OV) SSL certificates

An in-between option is to choose an Organisation Validated SSL certificate, which is authenticated with nine validation checks. This is the second most expensive type of SSL certificate after EV SSLs, and is commonly used by mid-level business websites and other kinds of public-facing websites that need to encrypt sensitive information.

5. Multi-Domain SSL certificates (MDC)

Multi-Domain SSL certificates can secure multiple domains and sub-domains, including the combination of unique domains and subdomains with different TLDs (top-level domains). However, these SSLs don’t support subdomains by default, so you need to specify the names you want to protect when obtaining your certificate.

6. Unified Communications Certificates (UCC)

Like Multi-Domain SSL certificates, UCCs protect multiple domains and subdomains. They were originally designed specifically for Microsoft Exchange and Office Communications servers (although they can be used more widely now), so they’re a great choice if you use these servers.

What is a self-signed SSL certificate?

Self-Signed SSL Certificate	CA-Signed SSL Certificate
Created and signed by the person who will use it No third-party validation Better for testing purposes and controlled environments Requires technical knowledge Only works with one device No verification process	Created and signed by third-party Certificate Authority (CA) Provides third-party validation Better for publicly accessible websites Everything handled by CA Immediately recognised by all devices and browsers Multiple domains and sub-domains can be verified and secured

There’s one more type of SSL certificate we’d like to discuss – self-signed SSL certificates.

A self-signed SSL certificate is a type of digital certificate that isn't issued by an external Certificate Authority (CA). Instead, it's created and signed by the entity or person who will use it. Unlike certificates from trusted CAs – which confirm the identity of the certificate holder and are recognised by devices and browsers without any extra steps – self-signed certificates are made in-house using the same cryptographic techniques. However, they lack the third-party validation that CAs provide.

While self-signed certificates can effectively encrypt data between a server and a client, they aren't typically the best choice for websites that are accessible to the public. You need some serious technical know-how, but also, they don't necessarily provide assurance of the server's identity to end-users. Browsers often display warnings to users about potential security risks when they come across such certificates. On the other hand, self-signed certificates may be acceptable in controlled environments where trust has already been established, like internal networks, development environments, or applications that require encryption without external validation.

How do I know if I’m using SSL?

The way a website indicates the presence of an SSL certificate differs across web browsers.

An SSL certificate in Google Chrome

If you’re visiting a website in Google Chrome, the main indicator of a valid SSL certificate is the use of ‘https://’ at the beginning of the URL, rather than just ‘http://’.

In terms of a visual indicator, you’ll typically see a padlock icon in the address bar before the URL of the site:

But, Google did announce in 2021 that Chrome M93 would include an experiment that replaces the lock icon in the address bar with a more neutral 'dropdown'-style arrow to improve access to other security information.

Source: Chromium Blog

An SSL certificate in Microsoft Edge

When visiting your site in Microsoft Edge, it'll look quite similar to what we're used to in Chrome (pre-M93 experiment). If the connection is secure (i.e. has a valid SSL certificate), you'll see a lock icon in the URL bar:

If a site doesn't have an SSL certificate, the address bar will indicate an insecure connection with a triangle warning icon:

Source: Microsoft Support

An SSL certificate in Safari

When visiting a secure site on Safari, it’ll have a padlock next to the URL just like previous examples have shown.

When you click on the padlock, a separate pop-up window will appear which gives you detailed information on the encryption used.

Benefits of SSL certificates

There are multiple benefits to using SSL certificates, so let us run through a few of the main ones:

1. Protect data

We’ve already mentioned it, but the main benefit of SSL is protecting data. By encrypting the data being transferred to and from the site, it protects it from being read by anyone malicious who tries to access it. Even if there’s a data breach and some of the data is intercepted, it will make it almost impossible to be understood due to the level of encryption it involves. Your visitors can feel safe in the knowledge that their data is in good hands.

2. Reduce the risk of phishing

Those visual indicators we mentioned above are also key to preventing phishing. If you’re unfamiliar, phishing websites are fraudulent sites made by those who aim to steal user data. They’re often very convincing replicas of legitimate websites, and try to trick visitors into entering their personal information. A valid SSL certificate on your website is an obvious way of showing that you’re the real deal, which can help your visitors avoid phishing attacks.

3. Increase your search engine ranking

How highly a website ranks in search engine results is key to its success. In 2014, Google announced that it would start including SSL and HTTPS as a factor in its search rankings. With so many websites using SSL, the reality is that without a valid certificate, a website is very unlikely to rank highly (or at all). Google visibly supports and endorses the use of SSL certificates to secure your website.

4. Secure your customer payments

The encryption we talked about in point two also obviously applies to payment data. When your customers are sending their card details to your site, having HTTPS in the address bar shows that you’re encrypting and protecting those details. In fact, PCI (Payment Cards Industry) regulations require at least 128-bit encryption on any payment data being transmitted, so if you’re taking payments from customers, having an SSL certificate is the bare minimum.

5. Showing your users you can be trusted

We've mentioned it already but we'll say it again, above all of those technical points, a huge benefit of having an SSL certificate is that your customers know they can trust you.

Without one, visitors trying to navigate to your HTTP-only site using Chrome will be shown an intimidating screen with a warning symbol telling them their connection isn't secure. It’s like having a big warning barrier outside a shop, warning those trying to enter that they might have their wallet stolen if they go in. Visitors to the site then have to click on a very small advance button to actually reach the unsecured website.

How to get an SSL certificate

Getting SSL certificate verification for your domain is pretty simple. General practice is to apply through an independent certificate authority (CA). Because CAs are third parties, their digital signature is considered trustworthy. You can get a self-signed SSL certificate if you have the technical know-how, but this won’t provide enough assurance for a publicly accessible website (as explained earlier).

Once you’ve received a certificate from the CA, you should apply it to your website through your server. Usually, your website host will handle the activation, after which users will be able to visit your site securely.

Otherwise, many hosting and server providers – like us! – include SSLs in their packages, so all of your sites would be covered. Even our most affordable Web Hosting packages come with a free SSL certificate, so your site is automatically protected without you having to do anything.

Choosing a hosting package that comes with a free SSL certificate (or multiple free SSL certificates) is a great way to keep your hosting costs down and make it even easier to create a website. If you choose to buy an SSL certificate separately, costs can vary widely depending on the provider, whereas you know exactly what you’re getting within your budget with one of our hosting packages.

How much does an SSL certificate cost?

When debating whether to get an SSL certificate, the benefits definitely outweigh the drawbacks. But the most common obstacle that domain owners come across is finding the right SSL certificate for their website.

It's possible to get an SSL certificate for free, but only for up to 90 days, so it's important that you continue updating SSL certificate validity after each period expires. Free certificates offer less complex security features than paid versions and are usually suitable for smaller sites and blogs, rather than businesses.

Alternatively, purchasing a premium SSL certificate will generally cost between £25-50 per year, with prices varying depending on the level of service you require. There are packages that far exceed this cost, while at the other end of the spectrum some basic packages can be bought for as low as £6 per year.

A better way to get a free SSL certificate is to choose a hosting package with one included. Depending on the package you choose, you could either get fixed-term free SSL certificates or even free lifetime SSL certificates, which means you won’t have to worry about finding the best SSL certificate deals ever again!

How to update an SSL certificate

Once your SSL certificate expires, your website can become vulnerable to hackers. Fortunately, you can begin the process of updating SSL certificate validity up to 90 days before the expiration date:

First, generate a new certificate signing request (CSR). A CSR is a portion of encoded text that identifies your company name and domain. You’re required to present this to your SSL provider upon renewal.
Once you've successfully completed your CSR, you can log in to the account you created when you initially applied for an SSL certificate and choose whether you want a one-year or two-year certification, then confirm your order.
Once approved, your website will continue to be protected by your SSL certificate.

Looking for cheap web hosting with an SSL certificate? At Fasthosts, we include them for free for the first year with all of our Web Hosting packages. To find out more about what an SSL certificate is and what it can do for you, contact our expert sales team today.