Help and support

What is an SSL certificate, why do you need one and how to choose one


An SSL security certificate is one of the mandatory conditions for the effective promotion of the site in the network and the trust of users. This is a sign of the safety and reliability of the web resource, to which you can transfer your data with greater confidence.

In 2020, Google announced that having an SSL certificate will significantly affect rankings. And if earlier the service was used only by a part of webmasters, now it is difficult to find a site that does not have an SSL certificate.

After you've purchased a domain and hosting , downloaded your site, and set it up, the first thing you need to do is purchase or create a free SSL certificate.



What is an SSL certificate?

An SSL certificate is a secure data encryption protocol. It protects information exchanged between users and the site from being intercepted. These are all data that pass through site traffic, but the most important thing is to ensure the preservation of personal passwords and bank card data (expiry date, CVV). Therefore, the presence of a security certificate plays the greatest role for the banking sector, online stores and other industries where financial transactions are carried out. But even where there are accounts (forums, social networks, sites with registration), it is important that logins and passwords do not fall into the hands of outsiders.

It can be not only criminals, but also employees who maintain the network, wi-fi or server. There are many intermediate nodes through which data can be intercepted. Therefore, their protection plays a huge role.

The certificate looks like a file with a code, it is something like a digital signature of the site. It is used to confirm that the client is interacting with the specified site, and not with a hacker who may be responsible instead of the server.

But the server cannot give itself confirmation that the site really exists and is safe. You won't believe the first person you meet on the street that his name is George Washington? For personal identification, you will be asked to present a passport issued by a special institution at the passport office.

An SSL certificate is a website passport issued by a certificate authority.

Read also: How to hide a site during development from indexing search engines and from users

How an SSL certificate works

To better understand how SSL works, you need to know what http is and how it differs from https.

When the Internet first appeared, http - the hypertext transfer protocol - was used to exchange information between the site visitor and the server. The principle is as follows: the client sends a request, the server processes it and returns a response. In this way, data is transferred even now, but a new protocol was implemented to protect it, https, where the last letter means security — protected.

This is not a new transfer method, but simply an enhanced http using SSL/TLS encryption protocols. These technologies encrypt and decrypt data using cryptographic keys. SSL is an earlier method of data encryption, TLS is its continuation.

How does secure connection technology work? In essence, this is a clever way to establish a closed connection over an open channel.

At the first contact of the user's browser and the site (server), the two parties first exchange a "handshake":

  1. The client sends a hello message.

  2. The server responds and sends the site's security certificate.

  3. The browser verifies the certificate through the root certificate database built into the system or the browser.

After that, the two parties jointly generate a secret key with the help of a public key (on the client's side) and a private key (on the server's side), which will be used for encryption.

This is a rather simplified diagram to give a general understanding of the process. A complex and multi-step technology is used to generate the secret key, otherwise anyone could crack it.

How to check the SSL certificate on the site

The presence or absence of a certificate is very easy to see. If the certificate is available, a closed padlock and https will be visible in the address bar next to the domain name . If the certificate is missing, the letters https will be crossed out in red, and next to the domain you will see an exclamation mark in a triangle or a crossed out lock. Depending on the browser, the icons may differ. By clicking on the icon to the left of the domain, you will understand for sure whether the site has a certificate or not.

But how do you know how reliable the certificate is and whether you can trust the site that uses it?

For this, you can use online services:

The services are in English, but they can be translated using the built-in Google Chrome translator. They do a deep analysis of the certificate, check the security level, validity period and other parameters.

We used the SSL Shopper service to check two domains - the Cityhost site and a resource that works on the http protocol. As you can see, in the second case, the service "quarrels" that the certificate has long expired.

Types of SSL certificates

Certificates may differ by a number of criteria.

By type of check

  1. With Domain Validation (DV). The simplest and most common type of certificate, but at the same time it has the least protection. You don't need to go through serious verification procedures to get it, it's enough to confirm the right to the domain. Installs very quickly. Recommended for installation on small sites without user data entry or with the presence of a feedback form, but without conducting serious financial transactions through the site.

  2. With company verification (OV). In this case, not only the domain will be checked, but also the registration of the owner, which confirms the right to engage in business activities. It will be necessary to provide documents confirming the registration of the FOP with a field of activity that corresponds to the topic of the site. This SSL certificate can take up to three days to obtain, but it is more reliable and allows you to make online purchases and store secure data in user accounts.

  3. With Extended Validation (EV). Such a certificate can be obtained only by a legal entity - an enterprise or a company. You will need to provide all registration documents and wait up to two weeks. It is used for large projects with a financial component - websites of banks, marketplaces, transport companies.

By type of distribution

  1. Single-domain applies to only one domain or subdomain.

  2. A multi-domain SAN/UCC certificate is valid for several domains of the same company.

  3. Wildcard (WC) protects a domain and its subdomains, both existing and those that will be created in the future.

Additional criteria

  1. Code Signing SSL (developer certificate) — for companies that develop and sell software.

  2. SGC certificate with forced high level of encryption.

  3. IDN certificates with support for Cyrillic domains.

All varieties are easily combined with each other - for example, it can be a multi-domain certificate with organization verification and a high level of data encryption.

How to buy an SSL certificate

Trust certificates are issued by many certification authorities. Among them, we can highlight Sectigo Limited, DigiCert Inc, Symantec, GeoTrust, RapidSSL, Thawte and others. But it is not necessary to contact them directly. Most providers offer a whole set of certificates to choose from for hosting tariffs. This option is even better because the provider has enough experience to find a reliable certification authority and offer the best solution.

Factors that shape the cost of the certificate:

  1. The amount of compensation that the certification center guarantees to pay in the event of a data leak

  2. Confirmation method (DV, OV, EV)

  3. Distribution (to one domain/subdomain or several)

  4. Level of reliability (encryption)

Depending on this, the price of an SSL certificate can vary from UAH 350 per year to UAH 12,000 or more. The higher the value, the more reliable the certificate and the higher the level of responsibility of the certification authority for data protection. The cheapest ones are with domain verification. They are followed by certificates with company verification and the most expensive certificates with extended verification.

Cityhost also provides an opportunity to purchase SSL certificates of various security levels. They can be installed both for a domain purchased from us and used for domains registered with a third-party company.

Free certificate - is it worth taking?

Any site owner can get an SSL certificate for free. The most popular center for issuing such certificates is Let's Encrypt. This is a non-profit organization whose goal is to make the Internet safer. It exists at the expense of patrons, mainly manufacturers of software and other digital products.

Free certificates have significant advantages: there is no need to pay for them and they are quickly installed automatically without the participation of the certification authority. But they have limited capabilities.

Cons of free certificates:

  1. They do not guarantee the protection of financial data, there is no payment of compensation for their leakage.

  2. Minimum level of protection. This is the simplest certificate with basic domain validation functionality.

  3. You need to update often (usually 3 months). However, ISPs provide an auto-update feature that simplifies the process.

  4. No technical support.

But despite all these shortcomings, free certificates are installed on millions of sites. Why? Because this is the best option for small business cards, blogs and other resources that do not involve financial transactions or entering confidential data. But if you have an online store or a site where visitors have accounts or fill out registration forms, be sure to get a paid certificate.

The Cityhost hosting control panel also has the option to install a free Let's Encrypt SSL certificate in one click. To do this, you need to click on the Hosting 2.0 tab in the control panel, and then go to the "Management" section (the button opposite the domain name). In the window, you need to click on the SSL tab, where you must first enable Free SSL, and then "Redirect to https". Why forwarding is done - we will tell you below.

How to install an SSL certificate and redirect to https

If you purchased or ordered a free certificate from your ISP, it will join the domain automatically. But if it is purchased from a certification center or a special service, it must be installed. This is done in the SSL section, the path to which is described above. Only now you will need to click the "Install" button opposite the "Arbitrary SSL certificate" column.

You need to enter the text of the certificate and its private key separately, which also looks like a code.

After installing the certificate, the http version does not disappear, it continues to work in parallel with https. Therefore, it is necessary to make a redirection so that the client always gets to the protected channel. That's why we include the "Redirect to https" option. It must always be activated, regardless of where the certificate was obtained and how much it costs.

There are other options for redirecting: by creating a redirect in .htaccess or special plugins if you use a CMS.

Don't forget about search engines. Make sure that the site address is listed with https in Google's analytics and promotion services, otherwise it will not rank well.

Which certificate to choose, whether to buy or order a free one - it all depends on the specifics of the project. The main thing is that the SSL certificate must be on the site and updated on time.

Like the article? Tell your friends about it:

Author: Bohdana Haivoronska

Journalist (since 2003), IT copywriter (since 2013), content marketer at Specializes in articles about technology, creation and promotion of sites.