TL;DR
SSL certificate setup in 2026 is a 10-minute task and free for almost every business site. A free Let's Encrypt cert gives you the same browser padlock as a $300 paid one. Modern hosts (Vercel, Netlify, Cloudflare, SiteGround, Hostinger, WP Engine) install SSL with one click. A self-managed VPS needs Certbot or Caddy and finishes in about 10 minutes. After SSL is stable for 7 days, add HSTS — it stops downgrade attacks and is required by PCI-DSS 4.0 for any page that touches card data.
If your business site does not have SSL in 2026, Chrome marks it as "Not Secure" in the address bar and Google downranks it. The encryption layer is no longer an upgrade — it is the floor. The walkthrough below covers what SSL actually does, the free vs paid call, host-specific setup for the platforms most clients are on, and the errors people hit on the first try.
I have set this up on more than 250 production sites since 2009, including the bolttech payment integration at a $1B+ unicorn (40+ payment providers, 99.9% uptime). The pattern that holds up across all of them is below.
What SSL actually does
SSL (Secure Sockets Layer) is the old name. TLS (Transport Layer Security) is the current name. Everyone still says SSL, so I will too. The job is three things:
- Encryption. Form data, cookies, and page content travel scrambled. A Wi-Fi eavesdropper sees noise.
- Integrity. A proxy cannot silently inject ads or malware into your pages in flight.
- Identity. The certificate proves the server you reached owns the domain in the URL.
The padlock in the browser means all three checks passed for that page. No padlock or a broken one means at least one failed.
For the deeper background, the Mozilla TLS guidance is the cleanest summary I know of, and the SSL Labs server test at Qualys is what I run against every production site to grade the configuration.
Free vs paid certificates
This decision trips up more business owners than any other. Let me save you the Google rabbit hole.
| Type | Cost | What you get | Who should use it |
|---|---|---|---|
| Let's Encrypt (DV) | Free | Padlock, 90-day cert, auto-renew | 95% of business sites |
| ZeroSSL (DV) | Free tier or $10/mo | Same as Let's Encrypt + wildcard on free | Alternative to Let's Encrypt |
| Cloudflare (DV) | Free with Cloudflare | Padlock, auto-managed | Anyone on Cloudflare |
| Paid DV (GoDaddy, Namecheap) | $10–$80/yr | Same browser trust as free | Hosts that block Let's Encrypt |
| OV (Organization Validated) | $100–$200/yr | Company name in cert details | Banks and some B2B compliance |
| EV (Extended Validation) | $150–$400/yr | Same as OV in 2026; browsers dropped the green bar | Almost nobody |
The honest take: browsers no longer visually distinguish OV or EV from DV. The "green bar" died in 2019. If someone tries to sell you a $300 EV cert for trust, ask them to show you what it looks like in Chrome. It looks the same as the free one.
Get a paid cert only if (a) your host blocks Let's Encrypt, (b) a compliance document from a partner explicitly requires OV, or (c) you need a warranty your ecommerce insurer demands.
Let's Encrypt, step by step
Let's Encrypt is a free certificate authority run by the Internet Security Research Group. It issues 90-day certificates and expects you to auto-renew. Every modern host knows how to do this.
The flow is always the same:
- Prove you control the domain (HTTP challenge or DNS challenge)
- The certificate authority issues a cert
- Your server installs it and serves HTTPS
- A cron job renews every ~60 days
You rarely do this by hand. Here is how it plays out per host.
Host-specific setup
Vercel
Automatic. Add your domain in the Vercel dashboard, point DNS at Vercel (or use Vercel DNS), and a cert is issued within a minute. Renewal is invisible. If you see an SSL error on Vercel, it is almost always a DNS record that has not propagated yet.
Netlify
Same story. Add the domain, wait for verification, the cert issues automatically. The "Verify DNS configuration" button is the one to click if something looks stuck.
Cloudflare
If your DNS is on Cloudflare, turn on "Full (strict)" in SSL/TLS settings. Cloudflare serves a cert at the edge and expects a valid origin cert on your server. For a pure cache setup, "Flexible" works but is not really secure — avoid it on anything that accepts logins or forms.
cPanel hosts (Hostinger, SiteGround, Bluehost, A2)
Look for "Let's Encrypt SSL" or "AutoSSL" in cPanel. One click. If you see "Install" next to your domain, click it. On SiteGround the setting is under Security > SSL Manager.
WP Engine
Built in. Log in, go to Domains, click "Add SSL." Free Let's Encrypt is the default. Done.
VPS (DigitalOcean, Linode, Hetzner, AWS EC2)
You do it yourself. Two paths.
Path A: Caddy is a web server that gets SSL automatically. Replace your Nginx or Apache config with a four-line Caddyfile:
example.com {
reverse_proxy localhost:3000
}
Start Caddy. Cert is live.
Path B: Nginx + Certbot. Install Certbot:
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d example.com -d www.example.com
Certbot reads your Nginx config, installs the cert, and adds a systemd timer for renewal. The whole process takes about three minutes end to end.
After install: the HTTPS upgrade checklist
A working cert is step one. These four steps close the loop.
- Redirect HTTP to HTTPS. In Nginx, a 301 redirect from port 80 to port 443. In Vercel and Netlify it is on by default. On WordPress the "Really Simple SSL" plugin handles it.
- Fix mixed content. If any image, script, or stylesheet loads over
http://, the padlock breaks on that page. Open browser DevTools → Console and search for "Mixed Content." Update the URLs tohttps://or to protocol-relative//. - Update canonical URLs. Sitemap, robots.txt, Google Search Console, analytics, and any hard-coded domain in your code should use
https://. - Add HSTS. See the next section.
HSTS: the 2026 default
HSTS (HTTP Strict Transport Security) is a header that tells browsers: "for the next N seconds, never load this domain over HTTP." It closes a class of downgrade attacks where an attacker on the same Wi-Fi intercepts the first HTTP request before your 301 fires.
Wait until your site works flawlessly on HTTPS for at least a week, then add:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
One year, all subdomains, eligible for the HSTS preload list. Once you are confident, submit your domain at hstspreload.org. Browsers will then hardcode your site as HTTPS-only on first visit.
Do not add preload unless you mean it. Removing a domain from the preload list takes weeks. If any subdomain still runs over HTTP, do not set includeSubDomains until that subdomain has SSL.
Common errors and fixes
These are the ones I see on 80% of client SSL tickets.
NET::ERR_CERT_COMMON_NAME_INVALID. The cert is for example.com but the URL is www.example.com, or vice versa. Issue the cert for both names, or redirect one to the other.
NET::ERR_CERT_AUTHORITY_INVALID. Self-signed cert, or the chain is incomplete. Check the intermediate cert bundle. On Nginx, concatenate fullchain.pem, not cert.pem.
Mixed content warning but no broken padlock. You have http:// images or scripts. Chrome auto-upgrades some of them now but not all. Find them in DevTools.
Cert expired. Auto-renewal broke. Check the cron job or systemd timer. Run certbot renew --dry-run to diagnose.
Let's Encrypt rate limit. You tried to issue more than 5 certs for the same domain in 7 days. Wait a week or use the staging environment for testing.
Cloudflare "Too many redirects." Your origin redirects HTTP to HTTPS, Cloudflare also redirects, and the two are stuck in a loop. Set Cloudflare SSL mode to "Full (strict)" and remove origin-level redirects, or vice versa.
SSL and PCI, briefly
If your site takes card payments, PCI-DSS 4.0 adds a few rules on top:
- TLS 1.2 minimum; prefer 1.3. Disable TLS 1.0 and 1.1.
- Disable weak ciphers (anything using RC4, 3DES, or CBC-mode for older TLS).
- HSTS is required for any page that renders card forms.
- Cert must come from a publicly trusted CA. Self-signed is not allowed in the payment flow.
The Mozilla SSL Configuration Generator gives you a copy-paste Nginx or Apache config for the "intermediate" profile that meets PCI requirements. Use that.
For the wider ecommerce security picture, see my ecommerce security checklist and the parent guide on website security for business owners.
SSL versus a WAF
SSL encrypts traffic. It does nothing about a SQL injection, a stolen password, or a bot hammering your login. A Web Application Firewall (WAF) is the layer that handles those. You want both. I broke down the difference and the right combo in WAF vs CDN: what each one actually does.
How I set this up for clients
For most business websites I build, the SSL chain looks like:
- Cloudflare in front, Full (strict) mode
- Let's Encrypt or Vercel-managed cert on the origin
- HSTS with preload after one week of clean HTTPS
- TLS 1.2 and 1.3 only, modern ciphers
- Automated Lighthouse check in CI that fails the build on mixed content
Total recurring cost: $0 for the cert. The rest is a one-time configuration.
For a reference of what "properly set up" looks like in production, the LAK Embalagens corporate website case study covers a full B2B catalog build where the SSL and CDN setup helped cut bounce rate by 45% and bring the site into Top 3 Google rankings. The same disciplined defaults turn up in the Imohub real estate portal build with 120k+ properties at sub-0.5s query response.
FAQ
Do I need SSL if I do not take payments?
Yes. Chrome and Safari mark non-HTTPS pages as "Not Secure." Google ranks HTTPS higher. Any form (even a newsletter signup) leaks in plain text without it.
Why is my Let's Encrypt cert valid for only 90 days?
By design. Short lifetimes limit damage if a private key leaks. Your host or Certbot renews every ~60 days without you doing anything.
Can I install SSL without downtime?
Yes. Issue and install the cert, then flip the redirect from HTTP to HTTPS. There is a sub-second gap while Nginx reloads. Most users will not notice.
What does the padlock icon actually prove?
That the domain in the URL matches a cert issued by a publicly trusted CA, and that traffic to that page is encrypted. It does not prove the site is trustworthy, non-malicious, or legitimate as a business.
Should I still use paid OV certificates?
Only if a partner contract or regulator names them by type. Browsers show no visible difference to your customers in 2026.
Can I use a wildcard cert across all my subdomains?
Yes. Let's Encrypt issues wildcard certs through the DNS-01 challenge. Caddy and Certbot both support it. Worth doing if you spin up new subdomains often.
What happens when the cert expires?
The site stops working in browsers — visitors see a full-page warning that they cannot click through on most modern browsers. Set up monitoring (Better Uptime, Pingdom, or even a cron running openssl s_client) so you find out before customers do.
Reflecting on the boring win
SSL is the most boring control on a website and one of the most consequential. Ten minutes of setup, a one-page checklist, and a year-long header buys you the entire encryption-in-transit story. There is no clever architecture to design, no dashboard to monitor day to day, no quarterly review with a vendor. It just runs.
The only real failure mode I keep seeing is forgotten renewal on hand-rolled VPS setups. Use a host that handles it for you, or write the cron job once and never touch it again. Either way, the padlock is supposed to be the thing nobody on your team thinks about. Make it that.
If you hit a wall or want a second pair of eyes on a mixed-content mess, book a free strategy call. Most SSL issues are 20-minute fixes once someone has seen them before.
Related reading:
- Websites — fixed-price builds from $2,000, 14-day money-back guarantee + 1-year bug warranty
- Custom web applications — monthly subscription from $3,499/mo
- LAK Embalagens case study — production SSL/CDN setup on a B2B catalog
- GigEasy MVP delivery case study — MVP in 3 weeks, full infra including SSL
- WAF vs CDN in 2026
- Website security for business owners
- Website security for ecommerce
- Hacked website recovery