What is an SSL certificate? Definition, validity, and costs

Contents

An SSL certificate is a digital file that confirms a website’s identity and enables an encrypted connection between the server and browser. It protects sensitive data like passwords from third-party access. Websites with an SSL certificate can be identified by the “https” in the URL and a small padlock icon in the browser.

Be secure. Buy an SSL certificate.

Secures data transfers
Avoids browser warnings
Improves your Google ranking

What is an SSL certificate?

Modern SSL certificates no longer use the outdated SSL (Secure Sockets Layer) but instead rely on the newer and more secure TLS (Transport Layer Security). In practice, however, “SSL certificates” is still the common term when referring to securing a website and server with encryption technology. The certificate itself is a simple data record: the file contains numerous details, such as the issuer’s name, the serial number, and the so-called fingerprint for encryption. Certificates come in various file formats and must be installed on the server for use.

To obtain an SSL certificate, website operators must contact a certification authority. These organizations are authorized to issue an SSL certificate but typically charge a fee for their service. But why can’t just anyone set up their own organization? The reason for this is that browser manufacturers, like Microsoft, Mozilla, or Google, must accept the certificates; otherwise, the certificate would be utterly useless.

How long is an SSL certificate valid?

A certificate accepted by browsers is not valid indefinitely. Each SSL certificate has an expiration date between 1 and 13 months. By 2029, SSL certificates are expected to be valid for a maximum of 47 days. When this occurs, website operators must replace their expired SSL certificates and have them renewed; otherwise, the respective sites will no longer be marked as particularly secure. Although renewing certificates on a regular basis can be both time-consuming and costly, it remains essential. Only by having certification authorities repeatedly verify integrity, identity, and the encryption methods in use can user security be reliably ensured.

Fact

The SSL certificate not only states its expiration date but also indicates the effective start date.

How does encryption work for SSL certificates?

There are several methods for encrypting data transfers. Traditionally, a single key is used for both encryption and decryption, meaning the exact same key is required to make a message readable again. On the internet, however, this approach is impractical since users often connect with people or organizations they have never interacted with outside the web. As a result, there is no secure way to exchange a key without sending it unencrypted over a public channel. For this reason, SSL certificates rely on a different encryption method.

In a Public Key Infrastructure (PKI), two keys are generated: one public and one private. Messages encrypted with the public key can only be decrypted with the private key. The public key is transmitted to the browser via the SSL certificate and used for encryption. Alongside this, the certificate also provides the browser with details about the supported encryption methods.

A widely used method today is AES (Advanced Encryption Standard) combined with the SHA256 cryptographic hash function. However, encryption standards evolve constantly—a method considered secure today may be cracked tomorrow and deemed unreliable.

What SSL certificates are there?

There are different types of SSL certificates. While issuers may vary in their verification processes, these differences are not the main criteria. Instead, SSL certificates are primarily distinguished by the level of applicant verification and the scope of coverage. Certificates in the Domain Validation category are now often available for free, but the costs of an Extended Validation certificate are usually too high for individuals and small businesses.

Domain Validation (DV)

Domain Validation represents the most basic level of SSL certificates, with verification of the website owner being rather minimal. In many cases, the certification authority simply sends an email to the address listed in the WHOIS entry. The applicant may then be asked to modify a DNS record or upload a specific file to their server to confirm control over the domain.

Organization Validation (OV)

OV SSL certificates are one level higher in terms of visitor security. The certification authority requests documents from the website owners during the validation process—usually after the automated Domain Validation has taken place. The specific documents required depend on the issuing organization—often, a business registration is requested.

Additionally, some certification authorities contact the website operators via phone. OV SSL certificates thus provide more security because there is more thorough vetting of who is truly behind the website. They also offer the advantage of keeping this information visible to users within the certificate itself.

Extended Validation (EV)

SSL certificates offered under the “Extended Validation” label represent the highest level of security. This type of certificate involves verification of the domain and the associated organization, as well as the applicant. It checks whether the applicant is indeed employed by the specified organization or company and whether they are authorized to request such a certificate.

Additionally, the certification authority must also be authorized to conduct Extended Validation. To become authorized, the authority must pass a review by the CA/Browser Forum, which is a voluntary association of certification authorities and browser vendors.

Create a website with your domain

Build your own website or online store, fast

Professional templates
Intuitive customizable design
Free domain, SSL, and email address

What does an SSL certificate cost? Free SSL vs. paid SSL

A significant factor in categorizing and selecting an SSL certificate is the costs associated with its acquisition. Relating this aspect directly to the three preceding verification types, it can be generally stated that the more extensive the certification check, the more one must pay for the certificate in the end. Since 2015, Let’s Encrypt has even been a certification authority providing certificates completely free of charge.

Differences between free and paid certificates

For the basic security of a website, ensuring it can be accessed via HTTPS instead of standard HTTP, a free certificate is just as effective as a paid one. Both types rely on SSL or TLS protocols, making secure data transfer mandatory between clients and servers.

In some aspects, however, free and paid certificates differ significantly from each other:

Validation level: For SSL certificate issuance, verification of the website owner is usually minimal—Domain Validation is the standard here. Certificates with higher security levels always require payment.
Domain scope: A free SSL certificate is typically issued for a single domain without additional technical effort and remains tied to it. Paid SSL/TLS solutions, however, also support cross-domain certificates that can secure multiple websites.

The advantages of paid SSL

Paid SSL certificates provide several advantages over free alternatives, as already outlined in the previous section. Depending on the provider and plan, they can cover multiple domains with minimal effort. This not only improves flexibility but also reduces the overall administrative workload. In case of issues, providers or certification authorities typically include personalized support—a service that free SSL certificate users usually don’t receive.

Which cost model is the right one?

A paid SSL certificate with EV verification is without doubt the optimal encryption solution for a web project. However, this type of certification is usually only affordable for larger companies, which are also the main target group in this case. More affordable certificates are generally sufficient for web projects in the SME sector, as long as no highly sensitive data—such as in online banking—is transmitted. For smaller projects where the transfer of personal data plays little or no role, free SSL certificates are a good alternative to paid options. In any case, when choosing your SSL certificate, you should pay attention to the following points:

Scope: Check how far the SSL certificate extends—for example, whether subdomains are also covered.
Single name: A standard certificate only applies to a single domain. This means that www.example.com and all subpages of this website are covered, but not subdomains.
Wildcard: These certificates use a wildcard (placeholder). Instead of only covering www.example.com, they also apply to all subdomains.
Multi-domain: Multi-domain certificates (also called SAN certificates) go far beyond the coverage of single-name or wildcard certificates. Many certification authorities offer certificates that can cover up to 100 domains.

How can you recognize an SSL certificate?

If you are using a modern browser, it’s easy to check whether a website is secured with SSL/TLS: just look at the address bar! Two indicators show that encryption is active:

a lock icon
the address starts with https:// instead of the usual http://

The additional “S” stands for Secure and signals to users that an additional SSL/TLS layer has been added to the Hypertext Transfer Protocol. In the TCP/IP protocol stack, an extra encryption layer has been inserted—between TCP and HTTP.

The lock icon is primarily an obvious signal from your browser that the website you’re visiting has a valid certificate. What many users don’t realize is that it’s also a button that leads to additional security information about the website. Clicking it opens a pop-up window with details about the certificate issuer, the encryption method used, and the certificate’s validity period.

Browsers give you clues right in the address bar about whether the website has a valid SSL certificate.

If the website you are visiting does not have a valid SSL certificate, you will see neither a lock icon nor https:// in the address bar. In addition, some browsers display warnings if users attempt to submit passwords or other sensitive data on such websites. The browser then alerts them that the data could be intercepted by third parties.

Fact

Just because a website does not have an SSL certificate does not necessarily mean it is a fraudulent site. However, the risk of criminal third parties stealing important personal data from you is higher on such sites than on those with an SSL certificate. Therefore, HTTPS is indispensable, especially when transmitting sensitive data.

Was this article helpful?

Internet security: secure websites with SSL and HTTPS

The topic of data security is becoming increasingly important for both private users as well as in the business world. As a website owner, you should take all the necessary precautions to ensure that a visit to your site is as secure as possible. Converting your site from HTTP to…

SSL
Security
HTTP
Tutorials

What is Chrome 68?

Early next month, Chrome 68 will be launched and the new browser will distrust all webpages that do not have HTTPS encryption as “not secure”. This is a big step in the recent trend towards emphasizing user safety on the internet, a not entirely selfless strategy from Google. In…

SEO
Encyclopedia
Security
HTTP

agsandrewshutterstock

HSTS

HTTPS, the network protocol for TLS-encrypted data transfer online can be circumvented in some cases. The danger is that encrypted websites can be accessed via unencrypted HTTP. But the HTTPS extension HSTS (HTTP Strict Transport Security) forces website access via TLS…

Security
HTTP
Encryption

What is a hash function? Definition, usage, and examples

Hash functions are used in many areas of computer science. They generate hash values that represent digital information in a consistent manner according to defined parameters. They provide additional security (using encryption) during data transmission and allow data to be…

Encyclopedia
Security

Install a Let's Encrypt SSL Certificate on a Cloud Server with Plesk

Let's Encrypt is a free, automated SSL certificate Authority. Using Let's Encrypt is a fast, free way to obtain an SSL certificate for your website. With Plesk, you can create and deploy a Let's Encrypt SSL certificate with just a few clicks. For any Cloud Server with Plesk,…

SSL
Tutorials