Every time you see the padlock in the browser's address bar, you're looking at the result of a sophisticated trust mechanism that protects billions of transactions every day. Yet few people truly understand how it works, what it means when it "expires," and why Google penalizes sites that don't have it. This guide answers all these questions, without taking anything for granted.

What is an SSL Certificate?

The name "SSL" comes from Secure Sockets Layer, the original protocol invented by Netscape in 1995. Technically, SSL was replaced by TLS (Transport Layer Security) already by the late 1990s — the current version is TLS 1.3 — but by habit everyone still calls them "SSL certificates."

An SSL/TLS certificate is a digital document issued by a Certificate Authority (CA) that declares:

1. That the domain example.com belongs to whoever claims to own it
2. That communications with that domain will be encrypted

The certificate contains the site's public key. The browser uses this key to initiate an encrypted communication, without the private key (which stays on the server) ever traveling over the network.

How does SSL/TLS Encryption Work?

When you visit an HTTPS site, a procedure called a TLS handshake takes place — nearly instantaneous for you but technically sophisticated:

1. Your browser tells the server: "I want a secure connection, here are the protocols and algorithms I support"
2. The server responds with the SSL certificate (containing the public key) and selects the algorithms to use
3. The browser verifies the certificate: is it signed by a trusted CA? Is it still valid (not expired)? Does the domain match?
4. A shared session key is generated (using asymmetric cryptography, but only for the key exchange)
5. From here on, all traffic is encrypted with the session key (symmetric encryption, much faster)

The result: even if someone intercepts traffic on the Wi-Fi network, they see only encrypted data that is indecipherable without the server's private key.

Types of SSL Certificates

Not all certificates are equal. The main difference is the level of identity validation of the requester.

DV — Domain Validation

The simplest level. The CA only verifies that whoever is requesting the certificate controls the domain (via a file on the site or a DNS record). The process is automatic and takes minutes. Let's Encrypt issues DV certificates for free.

Suitable for: blogs, personal sites, internal web applications.

OV — Organization Validation

The CA verifies not just the domain but also the organization's existence: company name, address, phone number. Requires a few days and has a cost.

Suitable for: business websites, B2B portals, services handling sensitive data.

EV — Extended Validation

The most thorough check: complete legal verification of the organization. At one time it displayed the company name in green in the address bar (Chrome and Firefox removed this display in 2019, but the EV certificate still has value for those who do manual inspection).

Suitable for: banks, financial institutions, large-scale e-commerce.

Wildcard and Multi-Domain

Wildcard certificates (*.example.com) cover all subdomains of a domain with a single certificate. SAN/multi-domain certificates cover multiple different domains in a single certificate.

Let's Encrypt: Free Certificates for Everyone

Since 2015, Let's Encrypt — managed by Internet Security Research Group (ISRG) with the support of Mozilla, Google, and other tech giants — has issued free DV certificates with automatic renewal every 90 days.

Today most hosting providers integrate Let's Encrypt directly into the control panel: a single click or command is enough to have HTTPS. With Certbot on Linux servers you can automatically obtain and renew certificates for your sites.

The result? Nearly 100% of websites now use HTTPS — a percentage unthinkable before Let's Encrypt.

Why Google Penalizes Sites Without SSL

In 2014, Google announced that HTTPS is a ranking factor in search results. It's not the most important factor, but when other elements are equal, the HTTPS site is preferred.

But there's more: from 2018, Chrome displays "Not Secure" in the address bar for all HTTP sites (non-HTTPS) when the user interacts with forms or enters data. From 2023, Chrome shows the warning for all HTTP sites without exception.

The practical impact: a site without SSL sees an increase in abandonment rate (people see the warning and leave) and loses positions on Google.

Expired Certificate: What Happens?

SSL certificates have an expiration date (maximum 398 days according to the latest industry rules, typically 90 days for Let's Encrypt). When it expires:

• The browser shows a red warning "Your connection is not private"
• The user can ignore the warning and proceed, but most don't
• Search engines may penalize the site

For Let's Encrypt certificates, renewal is automatic via Certbot or the hosting panel. For paid certificates, set a reminder 30 days in advance of the expiration date.

Check Your Site's Certificate

Want to know if your site's (or a site you're analyzing) SSL certificate is valid, who issued it, and when it expires?

👉 SSL Certificate Checker — check for free

Our tool shows in a few seconds: validity status, issuing authority, certificate type, expiration date, and the entire certificate chain.

Frequently Asked Questions

Does a site with HTTPS automatically mean it's safe? HTTPS guarantees that communication between you and the site is encrypted. It doesn't guarantee that the site itself is trustworthy or doesn't contain malware. Phishing sites regularly use HTTPS. Look at the padlock, but also check the domain.

Can I use an SSL certificate on multiple sites? With a wildcard certificate (*.mydomain.com) you can cover all subdomains of one domain. With a multi-domain (SAN) certificate you can cover completely different domains. A standard certificate is only valid for the specific domain it was issued for.

Do I need to restart the server after renewing the certificate? It depends on the web server. Nginx and Apache usually require a configuration reload (nginx -s reload or systemctl reload apache2) to apply the new certificate. Certbot handles this automatically in the post-renewal hook.