What SSL certificates actually do

An SSL certificate is a digital file that enables encryption between a visitor's browser and your web server. When a user visits your site via HTTPS, their browser and your server negotiate an encrypted connection using the certificate. The connection is encrypted in both directions: any data the visitor sends (form submissions, passwords, credit card numbers) is encrypted so that only your server can read it. Any data your server sends back is also encrypted.

SSL stands for Secure Sockets Layer. The term is now a bit outdated — the modern standard is TLS (Transport Layer Security) — but the names are used interchangeably. When you see HTTPS in a URL or a lock icon in the browser address bar, that is a TLS certificate at work.

The certificate has two parts: a public key that is visible to the world and a private key that remains on your server. The public key can encrypt messages, but only the private key can decrypt them. This asymmetric encryption is why HTTPS is secure: even if someone intercepts the traffic between a visitor's browser and your server, they cannot decrypt it without the private key.

A third important function of SSL certificates is authentication. The certificate proves that the site visitors are accessing is actually yours, not an imposter. A certificate is issued by a trusted authority (a Certificate Authority, or CA) after verifying that you control the domain. When a visitor's browser sees the certificate, it checks that the CA is trustworthy. If the verification passes, the browser displays a lock icon. If it fails, the browser warns the user that the site might be unsafe.

Why every website needs HTTPS in 2026

Google has been pushing HTTPS as a ranking signal since 2014. Websites with HTTPS are favored slightly in search results. More importantly, Google Chrome — used by over 60% of internet users — marks all HTTP sites as "not secure" with a warning in the address bar. A visitor to your unencrypted site sees a warning that the site is not secure, even if you are not collecting any sensitive data. This warning drives people away.

For sites handling any form of data — contact forms, email subscriptions, logins, shopping carts — HTTPS is a legal and ethical requirement. Canadian privacy laws, particularly PIPEDA and Quebec Law 25, require that personal information be protected in transit. Unencrypted transmission of personal data violates those laws.

Even if your site does not collect data directly, HTTPS matters for visitor trust. The lock icon in the browser bar is a signal of legitimacy. Sites without it look sketchy, regardless of how professional the design is. In 2026, an unencrypted site is a red flag to any visitor: either the business does not understand security, or they do not care about user privacy.

HTTPS also protects against man-in-the-middle attacks where someone on the same network intercepts traffic. In a coffee shop or airport, an attacker on the same wifi network could intercept unencrypted traffic. With HTTPS, they cannot. This protection matters for your visitors, which reflects on your business.

The different types of SSL certificates

There are three main types of SSL certificates, distinguished by the level of identity verification and the breadth of domain coverage: Domain Validated (DV), Organization Validated (OV), and Extended Validation (EV).

A Domain Validated (DV) certificate verifies that you control the domain but does not verify that you are who you claim to be. The verification process takes minutes — usually just a check that you can receive an email at an admin address associated with the domain or that you can modify a DNS record for the domain. DV certificates are free through services like Let's Encrypt and cost $15 to $100 annually if purchased commercially. DV certificates are appropriate for most websites, including business sites, blogs, and e-commerce. The browser shows a lock icon and the green bar, but does not show organization details.

An Organization Validated (OV) certificate verifies both that you control the domain and that the organization behind the certificate is legitimate. The verification process takes a few days and involves checking business registration records. OV certificates cost $100 to $300 annually and are appropriate for sites handling sensitive data or representing established businesses. The browser shows a lock icon with organization information when clicked.

An Extended Validation (EV) certificate involves the highest level of verification, including reviewing legal documents and confirmed contact with the business. The verification process takes one to two weeks. EV certificates cost $200 to $500 annually and are primarily used by banks and large e-commerce sites. In older browsers, EV certificates displayed a green bar in the address bar, but modern browsers have largely eliminated this visual distinction, making EV certificates less valuable than they once were.

Another distinction is single-domain versus multi-domain (wildcard) certificates. A single-domain certificate covers one domain: www.example.ca. A wildcard certificate covers a domain and all its subdomains: *.example.ca. A wildcard is useful if your site uses multiple subdomains — for example, api.example.ca, blog.example.ca, and app.example.ca. For a typical small business site, a single-domain certificate is sufficient.

Cost and where to get SSL certificates

The most cost-effective option for small Canadian businesses is a free DV certificate from Let's Encrypt. Let's Encrypt is a nonprofit certificate authority that provides certificates at no cost, with automated renewal. Most modern hosting providers include automated Let's Encrypt integration, meaning the certificate is installed and renewed automatically with zero manual work. A DV certificate from Let's Encrypt is cryptographically identical to a paid certificate — the only differences are the validation process and the lack of additional services.

If you need an OV or EV certificate, you purchase through a certificate provider like DigiCert, Sectigo, or GlobalSign. These providers sell directly and through hosting providers and domain registrars. Prices vary; shopping around can save you $50 to $100 annually, but the differences in quality between reputable providers are minimal.

Some hosting providers include a certificate with the hosting plan — often a free Let's Encrypt certificate or a single-domain DV certificate. If your hosting plan does not include a certificate, you can usually add one for $10 to $20 annually. This is your baseline cost: negligible.

Migrating from HTTP to HTTPS correctly

If your site is currently on HTTP and you are adding HTTPS, the migration process matters. Search engines will see your site as having new URLs (https:// instead of http://), and if the migration is done incorrectly, you can lose search rankings. The correct migration process involves: installing the certificate, configuring your server to redirect all HTTP requests to HTTPS, updating internal links to use HTTPS, testing that all pages load correctly over HTTPS, updating your sitemap to reflect the new HTTPS URLs, and notifying Google Search Console of the change.

Most hosting providers have documentation on this process, and many can perform the migration for you. If you hire a developer to do it, this should be straightforward work — a few hours of effort, not weeks.

Implementation concerns for Canadian businesses

Canadian law does not impose specific requirements on which certificate authority you use or what type of certificate you need. PIPEDA requires encryption of personal information in transit, but does not specify SSL/TLS. That said, SSL/TLS with a DV certificate from any trusted authority (Let's Encrypt, DigiCert, Sectigo) satisfies PIPEDA requirements.

If your site serves Canadian users but is hosted outside Canada, HTTPS encryption protects data in transit but does not change where the data is stored. That is a separate concern related to data residency and PIPEDA compliance. HTTPS ensures the connection is encrypted; where your server lives is a different question.

One Canadian-specific consideration is that some industries are regulated differently. Financial institutions, for example, have additional security requirements beyond just HTTPS. If you are in a regulated industry, check with your compliance officer or lawyer about what certificate and configuration is required.

Certificate renewal and expiration

SSL certificates have expiration dates, typically one to three years. Let's Encrypt certificates are valid for 90 days but renew automatically if your hosting provider is configured correctly. Commercial DV, OV, and EV certificates typically run for one or two years and require manual renewal unless you have set up automatic renewal with your provider.

If a certificate expires, your site will stop working over HTTPS, and visitors will see an error that the connection is not secure. This is a serious problem — not just for security, but for user trust and search rankings. Modern hosting providers make renewal automatic, so expiration should never happen. If you have older hosting or hosting that does not support automatic renewal, set a calendar reminder to renew before expiration.

Common mistakes and how to avoid them

The most common mistake is installing a certificate for the wrong domain. A certificate for www.example.ca does not work for example.ca without the www prefix. Make sure the certificate matches the domain you are actually using. Another mistake is failing to set up proper redirects, so your site is accessible on both HTTP and HTTPS — confusing for users and search engines. Set up a redirect so that HTTP traffic always goes to HTTPS.

Another mistake is forgetting to update internal links. If you migrate from HTTP to HTTPS but your internal links still point to HTTP URLs, browsers will show security warnings for mixed content. Update all internal links to use HTTPS. A third mistake is using an outdated certificate type or outdated TLS version. Modern browsers only support TLS 1.2 or higher. If your hosting is configured for old TLS versions, update it.

The final mistake is treating SSL as optional for sites that do not handle payments. Even if your site only has information and contact forms, HTTPS is standard in 2026. Visitors expect it. Google rewards it. Browsers warn about its absence. There is no good reason to run a website on HTTP.