SSL Certificate Setup for Business Sites in 2026: Plain-English Guide

What SSL actually does

SSL (Secure Sockets Layer) is the old name. TLS (Transport Layer Security) is the current name. Everyone still says SSL, so I will too. The job is three things:

1. Encryption. Your form data, cookies, and page content travel scrambled. A Wi-Fi eavesdropper sees noise.
2. Integrity. A proxy cannot silently inject ads or malware into your pages in flight.
3. Identity. The certificate proves the server you reached is actually the owner of the domain in the URL.

The padlock in the browser means all three checks passed for that page. No padlock or a broken one means at least one failed.

Free vs paid certificates

This decision trips up more business owners than any other. Let me save you the Google rabbit hole.

Type	Cost	What you get	Who should use it
Let's Encrypt (DV)	Free	Padlock, 90-day cert, auto-renew	95% of business sites
ZeroSSL (DV)	Free tier or $10/mo	Same as Let's Encrypt + wildcard on free	Alternative to Let's Encrypt
Cloudflare (DV)	Free with Cloudflare	Padlock, auto-managed	Anyone on Cloudflare
Paid DV (GoDaddy, Namecheap)	$10–$80/yr	Same browser trust as free	Hosts that block Let's Encrypt
OV (Organization Validated)	$100–$200/yr	Company name in cert details	Banks and some B2B compliance
EV (Extended Validation)	$150–$400/yr	Same as OV in 2026; browsers dropped the green bar	Almost nobody

The honest take: browsers no longer visually distinguish OV or EV from DV. The "green bar" died in 2019. If someone tries to sell you a $300 EV cert for trust, ask them to show you what it looks like in Chrome. It looks the same as the free one.

Get a paid cert only if (a) your host blocks Let's Encrypt, (b) a compliance document from a partner explicitly requires OV, or (c) you need a warranty your ecommerce insurer demands.

Let's Encrypt, step by step

Let's Encrypt is a free certificate authority run by the Internet Security Research Group. It issues 90-day certificates and expects you to auto-renew. Every modern host knows how to do this.

The flow is always the same:

1. Prove you control the domain (HTTP challenge or DNS challenge).
2. Certificate authority issues a cert.
3. Your server installs it and serves HTTPS.
4. A cron job renews every ~60 days.

You rarely do this by hand. Here is how it plays out per host.

Host-specific setup

Vercel

Automatic. Add your domain in the Vercel dashboard, point DNS at Vercel (or use Vercel DNS), and a cert is issued within a minute. Renewal is invisible. If you see an SSL error on Vercel, it is almost always a DNS record that has not propagated yet.

Netlify

Same story. Add domain, wait for verification, cert issues automatically. The "Verify DNS configuration" button is the one to click if something looks stuck.

Cloudflare

If your DNS is on Cloudflare, turn on "Full (strict)" in SSL/TLS settings. Cloudflare serves a cert at the edge and expects a valid origin cert on your server. For a pure cache setup, "Flexible" works but is not really secure; avoid it on anything that accepts logins or forms.

cPanel hosts (Hostinger, SiteGround, Bluehost, A2)

Look for "Let's Encrypt SSL" or "AutoSSL" in cPanel. One click. If you see "Install" next to your domain, click it. On SiteGround, the setting is under Security > SSL Manager.

WP Engine

Built in. Log in, go to Domains, click "Add SSL." Free Let's Encrypt is the default. Done.

VPS (DigitalOcean, Linode, Hetzner, AWS EC2)

You do it yourself. Two paths:

Path A: Caddy is a web server that gets SSL automatically. Replace your Nginx or Apache config with a four-line Caddyfile:

example.com {
  reverse_proxy localhost:3000
}

Start Caddy. Cert is live.

Path B: Nginx + Certbot. Install Certbot:

sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d example.com -d www.example.com

Certbot reads your Nginx config, installs the cert, and adds a systemd timer for renewal. This takes about three minutes end to end.

After install: the HTTPS upgrade checklist

A working cert is step one. These four steps close the loop:

1. Redirect HTTP to HTTPS. In Nginx: a 301 redirect from port 80 to port 443. In Vercel and Netlify: on by default. On WordPress: the "Really Simple SSL" plugin handles it.
2. Fix mixed content. If any image, script, or stylesheet loads over http://, the padlock breaks on that page. Open browser DevTools → Console and search for "Mixed Content." Update the URLs to https:// or to protocol-relative //.
3. Update canonical URLs. Sitemap, robots.txt, Google Search Console, analytics, and any hard-coded domain in your code should use https://.
4. Add HSTS. See the next section.

HSTS: the 2026 default

HSTS (HTTP Strict Transport Security) is a header that tells browsers: "for the next N seconds, never load this domain over HTTP." It closes a class of downgrade attacks where an attacker on the same Wi-Fi intercepts the first HTTP request before your 301 fires.

Wait until your site works flawlessly on HTTPS for at least a week, then add:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

One year, all subdomains, and eligible for the HSTS preload list. Once you are confident, submit your domain at hstspreload.org. Browsers will then hardcode your site as HTTPS-only on first visit.

Do not add preload unless you mean it. Removing a domain from the preload list takes weeks. If you have a subdomain without SSL, do not set includeSubDomains until it does.

Common errors and fixes

These are the ones I see on 80% of client SSL tickets:

NET::ERR_CERT_COMMON_NAME_INVALID. The cert is for example.com but the URL is www.example.com, or vice versa. Issue the cert for both names, or redirect one to the other.

NET::ERR_CERT_AUTHORITY_INVALID. Self-signed cert, or chain is incomplete. Check the intermediate cert bundle. On Nginx, concatenate fullchain.pem, not cert.pem.

Mixed content warning but no broken padlock. You have http:// images or scripts. Chrome auto-upgrades some of them now but not all. Find them in DevTools.

Cert expired. Auto-renewal broke. Check the cron job or systemd timer. Run certbot renew --dry-run to diagnose.

Let's Encrypt rate limit. You tried to issue more than 5 certs for the same domain in 7 days. Wait a week or use the staging environment for testing.

Cloudflare "Too many redirects." Your origin is redirecting HTTP to HTTPS, Cloudflare is also redirecting, and the two are in a loop. Set Cloudflare SSL mode to "Full (strict)" and remove origin-level redirects, or vice versa.

SSL and PCI, briefly

If your site takes card payments, PCI-DSS 4.0 adds a few rules on top:

• TLS 1.2 minimum; prefer 1.3. Disable TLS 1.0 and 1.1.
• Disable weak ciphers (anything using RC4, 3DES, or CBC-mode for older TLS).
• HSTS is required for any page that renders card forms.
• Cert must be from a publicly trusted CA. Self-signed is not allowed in the payment flow.

Mozilla's SSL Config Generator gives you a copy-paste Nginx or Apache config for the "intermediate" profile that matches PCI requirements. Use that.

For the wider ecommerce security picture, see the ecommerce security checklist and the parent guide on website security for business owners.

SSL versus a WAF

SSL encrypts traffic. It does nothing about a SQL injection, a stolen password, or a bot hammering your login. A Web Application Firewall (WAF) is the layer that handles those. You want both. I broke down the difference and the right combo in WAF vs CDN: what each one actually does.

How I set this up for clients

For most business websites I build, the SSL chain looks like:

• Cloudflare in front, full strict mode
• Let's Encrypt or Vercel-managed cert on the origin
• HSTS with preload after one week of clean HTTPS
• TLS 1.2 and 1.3 only, modern ciphers
• Automated Lighthouse check in CI that fails the build on mixed content

Total recurring cost: $0 for the cert. The rest is a one-time configuration.

For a reference of what "properly set up" looks like in production, the LAK Embalagens corporate website case study covers the full build, where the SSL and CDN setup helped cut bounce rate by 45% and get the B2B catalog into Top 3 Google rankings.

FAQ

Do I need SSL if I do not take payments?

Yes. Chrome and Safari mark non-HTTPS pages as "Not Secure," Google ranks HTTPS higher, and any form (even a newsletter signup) leaks in plain text without it.

Why is my Let's Encrypt cert valid for only 90 days?

By design. Short lifetimes limit damage if a private key leaks. Your host or Certbot renews every ~60 days without you doing anything.

Can I install SSL without downtime?

Yes. Issue and install the cert, then flip the redirect from HTTP to HTTPS. There is a sub-second gap while Nginx reloads. Most users will not notice.

What does the "lock" icon actually prove?

That the domain in the URL matches a cert issued by a publicly trusted CA, and that traffic to that page is encrypted. It does not prove the site is trustworthy, non-malicious, or legitimate as a business.

Should I still use paid OV certificates?

Only if a partner contract or regulator names them by type. Browsers show no visible difference to your customers in 2026.

Closing

SSL is 10 minutes of setup and $0 for most business sites. The real work is the follow-up: force HTTPS, fix mixed content, add HSTS, and keep an eye on renewals. Do those four and the padlock stays green forever.

If you hit a wall or want a second pair of eyes on a mixed-content mess, book a free strategy call. Most SSL issues are 20-minute fixes once someone has seen them before.

Related reading:

• Websites — fixed-price builds from $2,000, 14-day money-back guarantee + 1-year bug warranty
• Applications — monthly subscription from $3,499/mo
• LAK Embalagens case study — production SSL/CDN setup on a B2B catalog
• GigEasy case study — MVP in 3 weeks, full infra including SSL
• WAF vs CDN in 2026
• Website security for business owners