Home » Ecommerce Security » SSL Certificates

SSL Certificates for Online Stores Explained: Types, Setup, and Common Mistakes

An SSL certificate encrypts all data transmitted between your customer's browser and your server, protecting credit card numbers, passwords, and personal information from interception. Most online stores need a free Domain Validated (DV) certificate from Let's Encrypt, which provides identical encryption strength to paid certificates costing hundreds of dollars. Hosted platforms like Shopify and Squarespace include SSL automatically, while self-hosted stores on WooCommerce or Magento need to install and configure a certificate through their hosting provider.

What SSL Actually Does for Your Store

SSL (Secure Sockets Layer, now technically TLS or Transport Layer Security) creates an encrypted tunnel between your customer's browser and your web server. When a customer enters their credit card number, home address, or login password on your store, SSL encryption scrambles that data so that anyone who intercepts it during transmission sees only unreadable ciphertext instead of the actual information. Without SSL, all data travels in plain text that anyone on the same network can read, including on public WiFi at coffee shops, airports, and hotels where many customers shop from their phones.

Beyond encryption, SSL provides authentication, confirming that your customer's browser is actually connected to your server and not a fake site operated by an attacker. Man-in-the-middle attacks, where an attacker intercepts traffic between the customer and your store, are defeated by SSL authentication because the attacker cannot present a valid certificate for your domain. This authentication is what makes the padlock icon appear in the browser's address bar, which customers have learned to look for before entering payment information.

SSL also provides a measurable business impact beyond security. Google confirmed in 2014 that HTTPS is a ranking signal for search results, and the weight of that signal has increased over time. Chrome, Firefox, and Safari all display "Not Secure" warnings for non-HTTPS sites, which immediately kills customer trust and conversion rates. Studies by GlobalSign found that 84% of online shoppers would abandon a purchase on a site without a visible padlock icon. For SEO and conversion optimization, SSL is not optional.

SSL Certificate Types and Which One You Need

Domain Validated (DV) certificates verify only that you control the domain name. The Certificate Authority confirms ownership by checking a DNS record, an email to the domain's admin address, or a file placed on the web server. DV certificates issue in minutes and cost nothing through Let's Encrypt, or $10 to $80 per year from commercial Certificate Authorities. This is what the vast majority of online stores need. A DV certificate provides the same AES-256 encryption as any other certificate type, the same padlock icon in browsers, and the same HTTPS protocol. There is zero difference in the actual security or encryption strength between a free DV certificate and a $300 EV certificate.

Organization Validated (OV) certificates verify both domain ownership and the legal existence of your business. The Certificate Authority checks your business registration, physical address, and phone number before issuing the certificate. OV certificates cost $50 to $200 per year and take 1 to 3 business days to issue. The encryption is identical to DV. The only visible difference is that clicking the padlock icon shows your verified business name and address in the certificate details. Most customers never check these details, making OV certificates largely unnecessary for small ecommerce stores.

Extended Validation (EV) certificates require the most thorough business verification, including legal, physical, and operational checks. They cost $100 to $300 per year and take 1 to 5 business days to issue. EV certificates previously displayed the company name in a green address bar, which was a visible trust signal. However, Chrome removed the green bar in 2019, and other browsers followed. The company name now only appears when you click the padlock icon, significantly reducing the visibility advantage that justified the higher cost. For most ecommerce stores, an EV certificate is an unnecessary expense that provides no practical security or trust benefit over a free DV certificate.

Wildcard certificates cover your main domain and all subdomains (*.yourdomain.com) with a single certificate. If your store uses subdomains like shop.yourdomain.com, blog.yourdomain.com, and checkout.yourdomain.com, a wildcard certificate is more convenient and often cheaper than separate certificates for each subdomain. Let's Encrypt issues wildcard certificates for free. Commercial wildcard certificates cost $75 to $500 per year.

Free vs Paid SSL Certificates

Let's Encrypt revolutionized SSL by providing free, automated DV certificates that renew automatically every 90 days. The encryption is identical to paid certificates: 2048-bit RSA or 256-bit ECDSA keys with AES-256 encryption. Let's Encrypt certificates are trusted by every modern browser and operating system. Over 300 million websites use Let's Encrypt, including major companies, government agencies, and high-traffic ecommerce stores.

The legitimate reasons to choose a paid certificate over Let's Encrypt are narrow. If your hosting provider does not support Let's Encrypt and manual SSL installation is required, a paid certificate with a longer validity period (1 year vs 90 days) reduces maintenance. If your business requires OV or EV validation for compliance or contractual reasons, those are only available from paid Certificate Authorities. If you need a warranty (paid certificates include warranties of $10,000 to $1.75 million against mis-issuance), a paid certificate provides that, though the warranty is almost never relevant in practice.

For the remaining 95% of online stores, a free Let's Encrypt certificate is the correct choice. The encryption is the same, the browser display is the same, the SEO benefit is the same, and the automatic renewal eliminates the risk of certificate expiration that causes embarrassing "Your connection is not private" warnings. Many hosting providers including SiteGround, Bluehost, A2 Hosting, and Cloudways include automatic Let's Encrypt installation and renewal in their hosting plans.

SSL on Hosted Ecommerce Platforms

Shopify includes SSL automatically for all stores. Every Shopify store, including those on the basic $39/month plan, gets a free SSL certificate that covers both the myshopify.com subdomain and any custom domain you connect. Shopify handles installation, configuration, and renewal with no action required from the store owner. HTTPS is enforced by default, and there is no option to disable it. If you just connected a custom domain and SSL is not yet active, allow up to 48 hours for Shopify to provision and activate the certificate.

Squarespace includes SSL automatically for all sites, handled identically to Shopify with no configuration needed.

BigCommerce includes SSL for all stores. Custom domains receive automatic SSL certificate provisioning. The certificate covers your storefront and the BigCommerce-hosted checkout. No configuration is required.

WooCommerce runs on WordPress, which means SSL depends on your hosting provider rather than the platform. Most quality hosting providers include free Let's Encrypt SSL and can activate it in your hosting control panel with one click. After activating SSL in your hosting, update your WordPress settings: go to Settings, General, and change both the WordPress Address and Site Address from http:// to https://. Install a plugin like Really Simple SSL to handle redirect configuration and fix mixed content issues. The WooCommerce checkout will only function correctly over HTTPS, so verify your entire store loads over HTTPS before processing any orders.

Troubleshooting Common SSL Problems

Mixed content warnings occur when your HTTPS page loads some resources (images, scripts, stylesheets) over plain HTTP. Browsers block or warn about this because a single unencrypted resource on an encrypted page creates a security gap. The most common causes are hardcoded http:// URLs in your content, theme files, or custom CSS that reference images or scripts using HTTP instead of HTTPS. Fix this by updating URLs to use https:// or, better, use protocol-relative URLs that start with // (like //cdn.example.com/image.jpg), which automatically match the page's protocol. The WordPress plugin Really Simple SSL automatically fixes most mixed content issues. For manual fixes, search your database for http://yourdomain.com and replace with https://yourdomain.com using a search-and-replace tool.

Certificate expiration causes browsers to display a full-page "Your connection is not private" warning that prevents most customers from proceeding. This is catastrophic for an online store because it effectively takes your site offline for purchasing. Let's Encrypt certificates expire every 90 days, which is why automatic renewal is critical. If you use Let's Encrypt, verify that your hosting provider's auto-renewal is functioning by checking the certificate expiration date in your browser (click the padlock icon, then view certificate details). For paid certificates, set a calendar reminder 30 days before expiration and another at 7 days. Certificate expiration is the most common SSL failure for ecommerce stores, and it is entirely preventable with proper monitoring.

Redirect loops happen when your HTTPS configuration creates a circular redirect between HTTP and HTTPS. This typically occurs when a Cloudflare or CDN is set to "Flexible SSL" mode (which serves HTTPS to visitors but connects to your server over HTTP) while your server is also configured to redirect HTTP to HTTPS. The server sees the HTTP connection from the CDN and redirects to HTTPS, the CDN redirects back to HTTP, and the loop continues until the browser gives up. Fix this by setting Cloudflare SSL mode to "Full" or "Full (Strict)" so the connection between Cloudflare and your server also uses HTTPS.

SSL not working on subdomains occurs when your certificate covers only the main domain (yourdomain.com and www.yourdomain.com) but not subdomains like shop.yourdomain.com. Standard DV certificates cover the exact domain and the www subdomain. If you use other subdomains, you need either a wildcard certificate or separate certificates for each subdomain. Let's Encrypt supports both options at no cost.

Testing and Verifying Your SSL Configuration

After installing SSL, run the free Qualys SSL Labs test (ssllabs.com/ssltest) on your domain. This comprehensive test checks your certificate validity, encryption protocols, key exchange parameters, and server configuration. Aim for an A or A+ rating. Common issues that reduce your score include supporting outdated TLS 1.0 or 1.1 protocols (disable them in your server configuration, as modern browsers do not need them), weak cipher suites, and missing HSTS headers.

HTTP Strict Transport Security (HSTS) tells browsers to always connect to your site over HTTPS, even if a user types http:// or clicks an HTTP link. This prevents SSL stripping attacks where an attacker downgrades the connection from HTTPS to HTTP. Add the HSTS header to your server configuration with a max-age of at least 31536000 seconds (one year). Most WAF providers including Cloudflare can add HSTS headers without server configuration changes. Once HSTS is active and you have verified it works correctly, consider submitting your domain to the HSTS preload list (hstspreload.org), which hardcodes your HTTPS requirement into browsers themselves.

Related Articles