Everything you need to know about SSL certificates: how they work, the seven types, how to choose the right one, pricing in 2026, the new 200-day validity rules, and how to get your site secured correctly from day one.
What is an SSL Certificate?
An SSL certificate is a digital file installed on a web server that enables encrypted communication between the server and a visitor’s browser. It authenticates the server’s identity, activates HTTPS in the URL, and displays the padlock icon that tells visitors the connection is secure and their data cannot be intercepted in transit.
The name SSL stands for Secure Sockets Layer, a protocol developed by Netscape in the 1990s. The modern standard is actually TLS (Transport Layer Security), a significantly stronger successor. The term “SSL” persisted through industry habit. When you purchase or install an “SSL certificate” today, you are deploying TLS encryption. The underlying technology and the certificate file format are the same.
A valid SSL certificate is not a single piece of information. It is a structured file containing the domain name it was issued for, the name of the Certificate Authority (CA) that issued it, a digital signature from the CA, the certificate’s validity period, the server’s public key, and one or more Subject Alternative Names (SANs) listing every domain the certificate covers.
Browsers maintain a built-in list of trusted Certificate Authorities. When your browser connects to a site over HTTPS, it checks whether the site’s certificate was signed by a CA on that trust list. If the check passes, the connection proceeds. If it fails, the browser displays a warning page.
How SSL Certificates Work
SSL certificates secure data through a process called the TLS handshake. This happens invisibly in milliseconds every time a browser connects to an HTTPS site. Understanding it removes the mystery from how certificates provide protection.
The handshake has six core steps:
The critical security property is that Step 4 uses asymmetric encryption: the session key is encrypted with the server’s public key (included in the certificate) and can only be decrypted by the server’s private key, which never leaves the server. This means even if someone intercepts the handshake, they cannot derive the session key without the private key.
From Step 6 onward, all data is encrypted using symmetric encryption with the shared session key. This is faster than asymmetric encryption and is what protects the actual page content, form submissions, and payment data throughout the browsing session.
TLS 1.3 simplified this handshake. It eliminated older, weaker cipher options, requires perfect forward secrecy by default, and reduces the handshake to a single round-trip in most cases, improving both security and load time compared to TLS 1.2.
Types of SSL Certificates by Validation Level
Every SSL certificate uses identical encryption technology. The difference between certificate types is not in how strong the encryption is, but in how thoroughly the Certificate Authority verified the identity of the person or organization requesting the certificate. There are three validation levels.
All three validation levels provide the same 256-bit encryption and 2048-bit RSA key strength. A $0 DV certificate and a $400 EV certificate encrypt data identically. The validation level determines how much information about the certificate holder a browser can verify, not the strength of the encryption protecting the data.
DV Certificate: when it is appropriate
DV certificates are appropriate for any website where encryption is the goal rather than identity verification. Blogs, portfolios, informational sites, development environments, and internal tools are all appropriate uses. They are the fastest to obtain and the most widely deployed certificate type in 2026.
OV Certificate: when it is appropriate
OV certificates are appropriate for business websites, customer portals, SaaS platforms, and any site where visitors benefit from knowing the verified organization behind the domain. The certificate contains the organization name and address, which anyone can inspect by clicking the padlock in their browser. This is meaningful for business-to-business relationships and enterprise procurement processes.
EV Certificate: when it is appropriate
EV certificates are used by banks, regulated financial institutions, legal firms, healthcare providers, and large e-commerce platforms where the highest level of identity assurance serves compliance or institutional trust requirements. The verification process is the most thorough available from a public CA.
Types of SSL Certificates by Domain Coverage
Beyond validation level, certificates are also categorized by how many domains and subdomains they cover under a single certificate file.
Wildcard certificates cover first-level subdomains only. A wildcard for *.example.com covers blog.example.com and shop.example.com, but not secure.login.example.com. That deeper subdomain requires a separate certificate or an explicit SAN entry.
Why Your Website Needs an SSL Certificate
An SSL certificate stopped being optional in 2018 when Google Chrome began flagging all HTTP sites as “Not Secure” in the address bar. The question in 2026 is not whether to have SSL, but which type is right for your site.
1. Data encryption
Without SSL, all data between a browser and your server travels in plain text. Anyone on the same network, using packet interception tools, can read form submissions, login credentials, session tokens, and any other data in transit. SSL makes intercepted data unreadable by encrypting it with keys that only the session participants hold.
2. Browser trust signals
Every major browser (Chrome, Firefox, Safari, Edge) displays a “Not Secure” label on HTTP sites. Chrome holds over 65% of the global browser market. A “Not Secure” warning shown before your content has loaded is functionally an abandon signal. Research from Giant Creates (2024) found that 85% of online users leave websites displaying that warning. SSL replaces the warning with the padlock, eliminating the abandon trigger before it fires.
3. Google Search rankings
Google confirmed HTTPS as a ranking signal in 2014 and has strengthened its enforcement since. With over 89% of pages loaded in Chrome now using HTTPS (Google Transparency Report, 2025), your HTTP site competes against a majority of secure competitors. The ranking penalty for HTTP is compounded by the higher bounce rates triggered by browser warnings, which Google reads as negative engagement signals.
4. Legal and regulatory compliance
PCI DSS requires HTTPS encryption for any website that handles card payment data. GDPR and the UK GDPR require appropriate technical measures to protect personal data in transit, with SSL being the baseline expected by supervisory authorities. The EU NIS2 Directive, which began enforcement in 2024, includes security testing and encryption requirements for organizations in essential and important sectors. Non-compliance with PCI DSS can result in the loss of card processing rights. GDPR fines can reach 4% of global annual turnover.
5. Modern web features require HTTPS
HTTP/2 and HTTP/3, which deliver measurably faster page loads, both require HTTPS. Browser features including geolocation, camera access, push notifications, service workers, and the Payment Request API all require a secure context (HTTPS). An HTTP site cannot access these features regardless of its technical implementation.
SSL Certificate Validity in 2026: The Major Changes
The CA/Browser Forum, the standards body that governs SSL certificate issuance, approved Ballot SC-081v3 in April 2025. This vote set in motion the most significant change to SSL certificate lifetimes in the industry’s history.
The change was approved unanimously by Apple, Google, Mozilla, and Microsoft. DigiCert, one of the largest certificate authorities, began enforcing a 199-day limit as early as February 24, 2026, ahead of the official mandate.
The driving argument for shorter lifetimes is security exposure. A compromised private key from a certificate that is valid for 398 days represents up to 13 months of potential risk before the certificate naturally expires. At 200 days, that window is cut roughly in half. At 47 days, the exposure window becomes narrow enough that automation becomes essential rather than optional.
Alongside certificate validity, the CA/Browser Forum is also reducing how long domain validation results can be reused. By March 2029, domain control validation will need to be re-confirmed every 10 days, a change that makes manual certificate management at scale genuinely impractical.
Free certificates from Let’s Encrypt have always been 90 days and are automatically renewed by the ACME protocol when configured correctly. Let’s Encrypt has announced plans to introduce 45-day default certificates by early 2028, ahead of the 47-day CA/Browser Forum target.
Free vs Paid SSL Certificates
Free SSL certificates from Let’s Encrypt and certificate authorities such as ZeroSSL provide identical 256-bit encryption to paid certificates. The encryption is not weaker because it costs nothing. The differences lie in validation level, warranty, support, and management tooling.
| Feature | Free SSL (Let’s Encrypt / ZeroSSL) | Paid SSL (DV) | Paid SSL (OV / EV) |
|---|---|---|---|
| Encryption strength | Identical | Identical | Identical |
| Validation level | Domain only (DV) | Domain only (DV) | Organization or Extended |
| Validity period | 90 days | Up to 200 days (2026) | Up to 200 days (2026) |
| Auto-renewal | Yes (ACME) | Varies by host | Varies by provider |
| Warranty | None | $10,000 to $250,000 | Up to $1.75 million |
| Customer support | Community only | Email / ticket | Priority / phone |
| Organization identity in cert | No | No | Yes |
| Best for | Blogs, personal sites, dev environments | Small business, informational sites | Finance, legal, enterprise e-commerce |
The warranty is a notable practical difference. If your CA makes a misfired issuance that results in a security incident, a paid certificate’s warranty provides financial protection up to the stated amount. Free certificates carry no such warranty.
For most personal and small business websites, a free DV certificate from Let’s Encrypt is technically sufficient. For any site processing payments, handling sensitive user data, or serving enterprise customers who inspect certificate details as part of their due diligence, a paid OV or EV certificate is the appropriate choice.
SSL Certificate Pricing in 2026
SSL certificate prices in 2026 range from free to over $3,000 per year, depending on the validation level, the number of domains covered, the Certificate Authority, and whether you buy through a reseller or directly from the CA. Resellers consistently offer lower prices than CAs for identical products because their volume discounts are passed to the buyer.
- ✓Free: Let’s Encrypt, ZeroSSL, Cloudflare, hosting-bundled
- ✓Paid DV: Sectigo, Comodo, RapidSSL from $5 to $50/year
- ✓Issuance in minutes
- ✓Suitable for most websites
- ✓Covers all first-level subdomains
- ✓Cost-effective at 3+ subdomains
- ✓Available as DV or OV validation
- ✓Single renewal for all subdomains
- ✓Full business identity verification
- ✓Highest warranty coverage available
- ✓3 to 7 business day issuance
- ✓Required by some compliance frameworks
Multi-domain (SAN) certificates range from $100 to $400 per year and typically include three to five SANs, with additional domains purchasable at an incremental cost. Multi-domain wildcard certificates cover multiple domains and all their subdomains in one certificate and range from $200 to $700 per year depending on the CA and number of included domains.
How to Choose the Right SSL Certificate
The decision has two dimensions: validation level and domain coverage. Answer these questions in order:
- ✓Do you process payments or handle regulated personal data? If yes, you need at minimum an OV certificate. Finance and healthcare organizations should consider EV.
- ✓Do you have multiple subdomains? Three or more subdomains make a wildcard certificate more cost-effective and simpler to manage than individual certificates.
- ✓Do you manage multiple separate domains? A multi-domain (SAN) certificate reduces management overhead and total cost compared to individual certificates for each domain.
- ✓Is this a personal site, blog, or dev environment? A free DV certificate from Let’s Encrypt provides full encryption and satisfies all browser and SEO requirements.
- ✓Does your compliance framework specify a certificate type? Check your relevant standard (PCI DSS, SOC 2, ISO 27001) before choosing. Enterprise procurement sometimes requires OV or EV certificates explicitly.
- ✓Is automated renewal supported in your environment? With 200-day maximums in 2026 and 47-day ceilings arriving by 2029, automated renewal is no longer a luxury but a genuine operational requirement for any site that cannot afford downtime from an expired certificate.
How to Get an SSL Certificate
Getting an SSL certificate from a CA involves five steps: generating a CSR, submitting it, completing domain validation, downloading the certificate files, and installing them on your server.
Generate a Certificate Signing Request (CSR)
A CSR is a block of encoded text generated on your server containing your domain name, organization details, and your server’s public key. It also triggers the creation of your private key, which stays on your server and never leaves it. Most hosting control panels (cPanel, Plesk) have a built-in CSR generator. You can also generate one via OpenSSL from the command line.
Submit your CSR to a Certificate Authority
Purchase your chosen certificate at comparecheapssl.com, select your certificate type, and paste your CSR into the order form. For OV and EV certificates, you will also need to provide business documentation such as your registration number, address, and a contact phone number that the CA can verify against a public directory.
Complete domain control validation (DCV)
The CA verifies that you control the domain. Three methods are available: email verification (the CA sends a confirmation link to a pre-approved address such as admin@ or webmaster@), DNS verification (you add a specific TXT or CNAME record to your domain’s DNS), or file-based verification (you upload a specific text file to your web server root). DNS-based verification is generally the fastest and most reliable method.
Download your certificate files
After validation, the CA issues your certificate. You will receive the primary certificate file (.crt), the intermediate/CA Bundle file (.ca-bundle or .crt), and optionally a certificate chain file. Keep these files together with your private key file for installation. The private key was generated in Step 1 and should already be on your server.
Install the certificate and enable HTTPS
Installation method varies by server. For cPanel hosting, use the SSL/TLS Manager and Manage SSL Sites section. For Apache, add the certificate paths to your virtual host configuration. For Nginx, configure the ssl_certificate and ssl_certificate_key directives. After installation, configure a 301 redirect from all HTTP URLs to HTTPS, and verify the installation using a tool such as SSL Labs’ SSL Server Test at ssllabs.com/ssltest.
-keyout yourdomain.key \
-out yourdomain.csr
# Follow the prompts: Country, State, Org, Common Name (your domain)
# The .key file is your private key — never share it
# Paste the .csr contents into your CA’s order form
Common SSL Errors and How to Fix Them
NET::ERR_CERT_DATE_INVALID (expired certificate)
The certificate’s validity period has ended. The fix is to renew your certificate from your CA, download the new certificate files, and reinstall them on your server. This error will appear for every visitor until the new certificate is installed. With 200-day validity now standard, set automated renewal or a calendar reminder at least 30 days before expiry.
NET::ERR_CERT_AUTHORITY_INVALID (untrusted CA)
The browser does not recognize the CA that issued the certificate, or the intermediate certificate chain is incomplete. The most common cause is a missing CA Bundle file on the server. Ensure the full certificate chain (leaf certificate plus all intermediate certificates) is installed and served correctly. Verify the chain using SSL Labs.
NET::ERR_CERT_COMMON_NAME_INVALID (hostname mismatch)
The domain in the browser address bar does not match any domain listed in the certificate’s Common Name or Subject Alternative Names. Common causes: the certificate was issued for www.example.com but the site is accessed via example.com (or vice versa), or a wildcard certificate was used for a second-level subdomain it does not cover. Reissue the certificate with the correct domain names.
Mixed content warning (broken padlock)
The page is served over HTTPS but contains resources (images, scripts, stylesheets) loading over HTTP. Mixed content prevents browsers from showing a clean padlock. The fix is to update all resource URLs to use HTTPS. For WordPress, update Settings > General so both URL fields use https://, then run a database search-and-replace of http://yourdomain.com to https://yourdomain.com.
HTTP not redirecting to HTTPS
After installing a certificate, HTTP traffic must be explicitly redirected to HTTPS. In Apache, add a redirect rule in the .htaccess file or VirtualHost block. In Nginx, add a server block that returns a 301 redirect. In cPanel, use the Force HTTPS Redirect toggle in the Domains section. Without this redirect, visitors who type your domain without https:// will still reach the unsecured version.
