What SSL actually does
SSL (Secure Sockets Layer) — and its successor TLS (Transport Layer Security) — is a protocol that encrypts data in transit between a visitor's browser and your web server. Despite the technically correct name being TLS, the term "SSL certificate" has stuck and is what you will see in hosting control panels, certificate authority websites, and most documentation.
When SSL is active, data sent between a visitor and your server is encrypted. This means that if someone intercepts the traffic — on a public Wi-Fi network, for example — they cannot read the contents. Without SSL, all data is transmitted in plain text, including form submissions, login credentials, and payment information.
SSL also verifies identity. A certificate is issued to a specific domain by a Certificate Authority (CA) — a trusted third party that has validated that the certificate holder controls that domain. When a browser connects to your site, it checks that the certificate is valid, has not expired, and was issued by a trusted CA. If any check fails, the browser shows a security warning.
The difference between HTTP and HTTPS
HTTP (Hypertext Transfer Protocol) is the plain protocol — no encryption. HTTPS is HTTP over SSL/TLS — everything is encrypted. The visual difference: a padlock icon in the browser address bar for HTTPS, and a "Not Secure" warning label in Chrome and Firefox for HTTP sites.
Since 2018, Google Chrome has marked all HTTP sites as "Not Secure" rather than treating HTTPS as a special designation. This means that a visitor to your HTTP website will see a warning in their address bar before reading a single word on your page. The conversion impact of that warning on a small business site is real — many visitors, particularly those who do not know you already, will leave rather than risk an insecure connection.
Types of SSL certificate
SSL certificates come in three validation levels, which differ in what the Certificate Authority verifies before issuing the certificate.
Domain Validated (DV) certificates verify only that the applicant controls the domain. They are issued quickly — often within minutes — and are the right choice for most small business websites. The padlock looks identical to higher-validation certificates in modern browsers; the level of validation is not visible unless you click through to the certificate details.
Organisation Validated (OV) certificates verify that the applicant controls the domain AND that the organisation behind it is a legitimate registered entity. They take longer to issue and cost more. They are appropriate for businesses where organisational identity matters — financial institutions, professional service firms, and organisations where users need assurance that they are dealing with a verified company rather than a spoofed site.
Extended Validation (EV) certificates are the highest level, requiring the most thorough vetting of the organisation. They used to display a green address bar with the company name visible — a visible trust signal. Modern browsers have removed this display feature, meaning EV certificates now look identical to DV certificates to end users. Their value has diminished considerably as a result.
For a small business website that is not processing payments directly through a custom payment form or collecting highly sensitive personal information, a DV certificate is entirely appropriate.
Let's Encrypt: free SSL for most sites
Let's Encrypt is a non-profit Certificate Authority that issues free DV SSL certificates, with the goal of making HTTPS universal. It launched in 2016 and is now the most widely used CA in the world. Its certificates are trusted by all major browsers and operating systems.
Most web hosting providers now include Let's Encrypt integration directly in their control panels — in cPanel, look for "SSL/TLS Status" or "Let's Encrypt." With one click, you can issue a certificate for your domain and configure HTTPS. The certificate is valid for 90 days and renews automatically.
If your hosting provider does not include Let's Encrypt integration, you may need to install the certificate manually using the Certbot client, or use a CDN provider like Cloudflare (which offers free SSL termination at the CDN layer even without native hosting support).
There is no reason for a small business website to pay for an SSL certificate when Let's Encrypt provides a trusted, browser-accepted certificate for free.
When a paid certificate makes sense
Paid certificates are worth considering in specific circumstances. Wildcard certificates cover a domain and all its subdomains — useful if you run several subdomains (store.yourdomain.ca, portal.yourdomain.ca, blog.yourdomain.ca) and want a single certificate to cover all of them. Let's Encrypt does issue free wildcard certificates, but they require DNS-based validation which is more complex to set up and automate.
Multi-domain (SAN) certificates cover multiple distinct domains under one certificate — useful if you are managing certificates for several client sites and want to consolidate administration. Paid certificates sometimes include warranty coverage against CA errors and customer support, which matters for mission-critical applications.
For most Canadian small business sites, Let's Encrypt is the right choice.
SSL and SEO
Google confirmed HTTPS as a ranking signal in 2014. It is described as a "lightweight" signal — it is not as significant as page speed or content relevance — but it is a confirmed factor. More importantly, the Chrome "Not Secure" warning directly affects user behaviour: higher bounce rates from visitors who see the warning before engaging with your content are a negative signal for rankings.
When migrating from HTTP to HTTPS, all HTTP URLs should redirect to their HTTPS equivalents via 301 permanent redirects. Without these redirects, you effectively have two versions of every page — the HTTP version and the HTTPS version — which splits your ranking signals and can create duplicate content issues. Any good hosting migration guide will cover this; any good web developer will configure redirects as part of the SSL installation.
Mixed content: the common post-installation problem
Mixed content is the most common problem that occurs after installing SSL on an existing site. It happens when a page is loaded over HTTPS but references resources — images, scripts, stylesheets, iframes — via HTTP URLs. The browser treats these HTTP resources as insecure and either blocks them or shows a warning, even though the page itself is served over HTTPS.
The result is either broken images and functionality, or a browser that shows a warning icon instead of the padlock. On a WordPress site, a search-and-replace of HTTP URLs in the database to HTTPS using a plugin like Better Search Replace will fix most instances. On a static site, it is a matter of finding and updating hardcoded HTTP links in HTML and CSS files.
After installing SSL and setting up redirects, check your site for mixed content using your browser's developer tools (Network tab, filter by "http") or an online tool like Why No Padlock (whynopadlock.com).
Auto-renewal: the thing most people forget
Let's Encrypt certificates expire every 90 days. Auto-renewal is configured by Certbot or your hosting provider to run before expiry — typically renewing at 60 days remaining. But "configured to auto-renew" is not the same as "will definitely auto-renew reliably."
Renewal failures happen: the renewal cron job gets removed during a server migration, DNS settings change in a way that breaks domain validation, or the hosting provider's renewal integration has a bug. An expired certificate is immediately visible to every visitor as a browser security warning — and it is embarrassing and trust-damaging.
Check your certificate expiry date monthly. In Chrome, click the padlock, then "Connection is secure," then "Certificate is valid" to see the expiry. Set a calendar reminder for a few days before the expected renewal date so you can check that it renewed correctly. Most hosting dashboards also show SSL status.
How to check your certificate is set up correctly
SSL Labs (ssllabs.com/ssltest) provides a free, detailed SSL configuration test for any domain. It grades your certificate, cipher configuration, and server settings and flags common issues. An A or A+ grade means your configuration is solid. Lower grades indicate specific problems you can address.
The basic checks: Does the site load at https://yourdomain.ca with a padlock? Does http://yourdomain.ca redirect to https://yourdomain.ca? Does www.yourdomain.ca redirect correctly? Are there any browser warnings about mixed content? Is the certificate issued to the correct domain? These are the five questions every Canadian business with a website should be able to answer yes to.
On Vancouver Island? All Design Menu hosting plans include SSL certificates, HTTPS enforcement, and monthly certificate monitoring as standard — not as an add-on.