The Quick Complete Guide for Business Owners: SSL Certificates

If you have a website, you’ve probably heard about SSL in the last couple of months. Everybody’s talking about how you need to add it to your site and how it will hurt your Google rankings if you don’t do it NOW.

But what exactly is SSL? Why do you need it? Why now? How much is it and how do you “install” it?

In just a few minutes, this guide will give you the information you need as a business owner to make an informed decision about your site’s SSL Certificate.

What is SSL and What Does it Do?

SSL stands for Secure Sockets Layer. I’ll just leave that information to ruminate in your head for a future trivia game. What you actually need to know is that an SSL Certificate secures your information while it’s passing from your website to a user’s computer and back. Here’s what’s happening:

So this isn’t great for your users. Someone can just insert themselves into that Information stream in the middle and steal sensitive information.

If you have an eCommerce store where credit card information is being collected on your site, your payment processor will require you to have a SSL Certificate so that your website works like this:

With an SSL Certificate all that information is encrypted, so hackers can’t just grab that information in the middle while it’s going from the user to your website or vice versa. It’s called a “man in the middle” attack because someone inserts themselves between the user and the server.

In addition to encrypting, SSL certificates are also registered to a specific company so that you can know that the website you’re looking at is actually the authentic website not a clone.

This sounds great, of course. In fact, it’s so great, you might be wondering why SSL Certificates haven’t always been standard. They were created in 1994, so SSL certificates have been around for a while. Bottom line? they cost. And many smaller websites haven’t in the past seen the need to secure their website when they weren’t collecting sensitive information.

Everything Changed With Google

As with many website innovations today, Google is a driving force behind the SSL Certificate adoption. It started in 2014, with Google’s blog post about SSL being included in the algorithm for ranking sites. However, despite many tests done on the effect of SSL on your Google’s ranking, most showed no obvious difference – having a SSL Certificate installed on your site didn’t move your site up in Google’s search results.

But then the announcement came late in 2016 that Google would also be doing something else: starting in January 2017, sites with logins would be labeled as NOT SECURE in Chrome if they didn’t have an SSL Certificate. This was a major change. Before, if your site had a login (like the 28% of websites on the internet that use WordPress) and no SSL, your site didn’t say anything special. But labeling a site as NOT SECURE could very likely scare away people who weren’t sure what that meant.

Essentially, instead of Google just labeling sites as SECURE with SSL, they’d label sites without SSL as NOT SECURE. 

Why Did Google Do it?

When Google decides something must be a certain way, everyone who wants to be listed on Google must change. And since Google monopolizes search on the internet, it’s essentially their way or the highway.

But in this case, I actually agree with this move. SSL certificates provide us with a more secure internet experience, which is always a good idea. This not only secures you against hackers, it can also secure your information in case of government snooping.

Why Do You Need SSL?

Essentially, you need SSL because Google has required it. Do you want to be found in Google? I’d recommend installing SSL on your site over the next couple of months if not immediately. Yes, it is an extra cost, but just like you must pay for hosting, SSL is now simply a requirement for running a website.

That’s not to say it’s bad! Again, SSL Certificates do make your site more secure which is always a good thing.

How to Tell That a Website has SSL

It’s easy to tell in any browser whether a website has an SSL Certificate installed. Type the website URL into the top bar, and take a look at the information to the left of the domain name. Is there a green lock icon to the left? If so, that website has an SSL certificate installed. In Chrome, in addition to the Green Locked Icon, you’ll see the words SECURE.

If the words are in grey, it means that while the website is technically secure, there are images or links being loaded that are not secure.

The Three Different Types of SSL

There are three main types of SSL Certificates: Domain Validated certificates (DV), Organization Validated certificate (OV) and Extended Validation certificates (EV).

Domain Validated Certificates (DV) are the simplest type to get. Most companies who are adding SSL primarily because of Google’s requirements are using this kind. They require no paperwork to be submitted from your company, just a proof that you own the domain name.

Organization Validated Certificate (OV) are the second easiest. This type will look the same in the browser to the user as the DV ones, but it is a little safer because it vets your company information before they issue it.

Extended Validation Certificates (EV) are the most secure. They provide the user with an added green bar with the name of the company on it:

Take a look at some of your favorite sites, and you’ll see that many don’t have this level of security. Most notably Google and Amazon! You can see with Amazon (and Google), that each only have an Organization Validated Certificate:

To see this yourself, check out the domain name in Firefox. Click on the green SSL lock. Then click the Arrow right, click More Information, and then View Certificate.

If it has only the Common Name, it’s a “Domain Validation” Certificate. If it has the Organization name listed, it’s the “Organization Validated” Certificate. If it also has the Organizational Unit, it’s the “Extended Validation” Certificate.

If you’re buying a SSL certificate for Google only (not eCommerce), you can simply go with the basic “Domain Validation” unless you have very security-conscious/sensitive users.

How much do SSL Certificates Cost?

Before we talk about price, you should consider buying your SSL certificate from your hosting company. There are a few reasons for this: first, they’ll usually install the certificate for you at no extra cost; all of your information will be in one place not scattered through different sites; and it’s simply easier.

If the pricing on your hosting company’s SSL is significantly more expensive than other SSL pricing, or if your hosting company doesn’t offer SSL Certificates, then you can buy them from essentially anyone and install them on your website. However, remember that the company is providing you with the encryption, so your website is only as secure as the company is. A few good companies include Verisign, Geotrust, Comodo, Digicert, Thawte, Godaddy, Let’s Encrypt, and Network Solutions. I personally bought mine through A2hosting (Let’s Encrypt).

Prices for a basic SSL (DV), can be as cheap as free now, but generally start around $60 a year. Sometimes your hosting will actually throw in a SSL Certificate for free! On the high end, with multiple domains secured with the highest level (EV), you can pay as much as $1000 per year. Keep in mind that pricing is more expensive if you’re securing more than one domain.

Now that you know the three types of SSL Certificates, answer the three questions here and they’ll recommend several SSL Certificates for you: SSL Certificate Shopper Comparison. The last question deals with the type of SSL Certificate you’re looking to buy.

What do I do Once I Buy a SSL Certificate?

Once you buy an SSL Certificate, you’ll need to get it installed. The best way to install an SSL certificate is to get the issuing organization to do it for you for free. Many companies will do this, especially if you are hosting your website with them.

If you need to do it yourself, each SSL issuing company will provide their own directions. Installing an SSL certificate is not for those without experience using their website’s cpanel or equivalent. If you’re unsure what that is or haven’t used it before, you’ll want to hire a developer to do this for you.

Testing Your SSL Certificate

Once you think your SSL certificate is install, you’ll want to test it by going to:

https://yourdomain.com

If an SSL certificate is not installed correctly, it will show up with an error on the site depending on the browser you’re in. Below are the errors for Chrome and Firefox:

Firefox SSL Error

Chrome SSL Error

If you get those errors, you’ll need to go back to your SSL Certificate issuer, wherever you bought the SSL Certificate, and have them troubleshoot the issue.

Switching Your Site to SSL

The final step that you’ll need to take is forwarding your site to the secure site. If you type in your site without the SSL (https), like below:

http://yourwebsite.com

your site will still come up. However, you don’t want to allow access to a non-secure version of your website, so you’ll need to make at least one edit.

Developer’s Instructions – Forcing SSL

The following instructions will most likely require a developer. In the root folder of the site, find or create a “.htaccess” file. Then add this coding to the top of the file:

This will forward any insecure page to the new secure website, while telling Google that the secure website is the new version to catalog (301 redirect at the end).

Editing the Links

Now that your base website is set to use SSL, you’ll need to edit links within your site. Again, a developer will be helpful here. You’ll know there are images being pulled that aren’t secure if the lock left of your URL is grey, not green.

For non-Wordpress sites, the best way to do this on a site is to start with the links you know need to be changed. Then, use the “View Page Source” (chrome) to see all the coding for the page and search for links/images that are using “http” not “https”.

For those using WordPress, you can edit most URLs by using the plugin Velvet Blues. After installing it (it’s free), go to Tools -> Velvet Blues. Just put the insecure version of the site (http://yoursite.com) into the Old Site area, and then the secure version of the site into the new URL area (https://yoursite.com). Check everything except the bottom option on the checkboxes. Once you run it, it will give you a report on how many links were changed.

Once you get through those URLs, go through the step of Non-Wordpress sites above to catch the ones that didn’t automatically get found.

WordPress Only

Finally, for WordPress only, you’ll need to edit the URL that your site is working with. Go to SETTINGS -> GENERAL, and change the two URLs on the page to the secure versions: “https” instead of “http”. This will kick you out of the site and you’ll have to sign in again, but now your site is based off of the secure version, not the insecure.

Boxes are greyed out? If the URL boxes are greyed out, you’ll need to get a Developer to edit a file in your site’s root folder called wp-config. That file will say the URL twice explicitly. Just add the “https” to each.

Links not working? If your links aren’t being forwarded to the secure version of your WordPress site, try going to SETTINGS -> PERMALINKS and saving the page. You don’t need to edit anything, just re-save to reset the permalinks.

The Bottom line in SSL

Your website will need an SSL Certificate installed at some point in the near future. Mainly because Google has already said they’re including it in their ranking algorithm, but also for the security of your site.

While you can purchase the SSL Certificate through your hosting company and have them install it on your site, you will need a developer to finish the programming edits required for SSL.