That little padlock in your browser’s address bar is backed by something specific: an SSL certificate. It’s the digital credential that proves a website is who it claims to be and switches your connection over to the encrypted https:// version. But what is an SSL certificate, really — and do you need to pay for one?
This plain-English guide explains what SSL certificates are, how they work, the different types, what they do (and don’t) protect, and how to get one for free — no technical background required.
Reviewed and kept current by the Coppers.io editorial team — see how we research .
What is an SSL certificate?
An SSL certificate is a small digital file installed on a web server that does two jobs: it proves the website’s identity and it enables an encrypted connection between the site and your browser. When a site has a valid certificate, your browser shows https:// and a padlock instead of warning you that the connection isn’t secure.
The certificate is issued by a trusted third party called a Certificate Authority (CA), which verifies the site owner before signing it. Inside, it holds details like the domain name it’s valid for, who issued it, an expiry date, and a public key used to set up encryption.
One naming quirk: you’ll see “SSL” and “TLS” used almost interchangeably. SSL (Secure Sockets Layer) is the original protocol; it was replaced years ago by the more secure TLS (Transport Layer Security). The name “SSL certificate” simply stuck. For how that encrypted connection actually works, see our guide to HTTPS .
How does an SSL certificate work?
The certificate is what makes the secure handshake between your browser and a website possible. In simple terms:
- Validation. Before issuing a certificate, the CA checks that you control the domain (and, for higher tiers, that your organization is real).
- The trust chain. Browsers and devices ship with a built-in list of trusted CAs. When you visit a site, your browser checks that its certificate was signed by one of those trusted authorities and hasn’t expired or been revoked.
- Key exchange. The certificate’s public key lets your browser and the server agree on a secret key, which then encrypts everything sent between you — passwords, payments, form data — so eavesdroppers can’t read it.
If anything fails — an expired certificate, a name mismatch, an untrusted issuer — the browser throws up the familiar “Your connection is not private” warning. For a deeper technical reference, Cloudflare’s explainer on SSL certificates is a solid source.
Types of SSL certificates
Certificates differ in two ways: how thoroughly the owner is validated, and how many domains they cover.
| Type | What it verifies / covers |
|---|---|
| Domain Validation (DV) | Confirms control of the domain only — issued in minutes, the most common type |
| Organization Validation (OV) | Also verifies the business behind the site |
| Extended Validation (EV) | The strictest checks on the legal organization |
| Wildcard | One domain plus all its subdomains (*.example.com) |
| Multi-domain (SAN) | Several different domains on one certificate |
For most blogs, small businesses, and personal sites, a free DV certificate is all you need. OV and EV mainly matter for large organizations, banks, and e-commerce that want extra identity assurance.
What an SSL certificate does — and doesn’t do
A certificate does:
- Encrypt data in transit so it can’t be intercepted on the network.
- Authenticate the site’s identity so you’re not talking to an impostor.
- Enable HTTPS and the padlock, which browsers now require to avoid “Not secure” warnings.
- Help SEO and trust — Google uses HTTPS as a ranking signal.
It doesn’t:
- Make your website “secure” overall. It protects data in transit, not a poorly coded or unpatched site. You still need broader website security .
- Protect against malware or hacking of the server itself.
- Prove a business is trustworthy. A phishing site can get a free DV certificate too — the padlock means “encrypted,” not “honest.”
How to get a free SSL certificate
You almost never need to pay for basic encryption. The main options:
- Let’s Encrypt — a free, automated, non-profit CA that issues DV certificates trusted by every major browser. It powers a huge share of the web. (letsencrypt.org )
- Your web host or control panel — most hosts (and cPanel/Plesk) offer one-click free SSL, often Let’s Encrypt under the hood.
- Cloudflare — putting your site behind Cloudflare provides a free Universal SSL certificate automatically.
Free certificates last 90 days but renew automatically, so there’s nothing to remember. You’d only buy a paid certificate for OV/EV identity validation or a warranty — not for stronger encryption, which is identical either way.
The bottom line
An SSL/TLS certificate is the digital credential that proves a website’s identity and unlocks the encrypted https:// connection your browser trusts. For the vast majority of sites a free DV certificate from Let’s Encrypt or your host does everything you need — just remember the padlock means the connection is encrypted, not that the site behind it is automatically safe.
Want to go further? Learn how HTTPS works , see the bigger picture in our website security guide, and start with the fundamentals in cybersecurity basics for beginners .
FAQs
- TLS (Transport Layer Security) is the modern, more secure successor to SSL (Secure Sockets Layer). Today's "SSL certificates" actually use TLS — the older name just stuck for marketing and familiarity.
- No, but they work together. The SSL certificate is the credential installed on the server; HTTPS is the secure protocol it enables. A site needs a valid certificate before it can serve pages over HTTPS.
- For encryption, yes — a free Let's Encrypt certificate protects data exactly as well as a paid one. Paid certificates only add organization-identity validation (OV/EV) and warranties, which most sites don't need.
- It depends on the issuer. Free certificates from Let's Encrypt last 90 days and renew automatically; paid certificates typically last about a year. Letting one expire triggers browser security warnings, so auto-renewal is strongly recommended.
- Yes. Modern browsers mark sites without one as "Not secure," and HTTPS is a Google ranking factor. Since basic certificates are free and often one-click to install, every website should have one.