What is SSL Certificate & How to Install it under 10 Minutes?

What-is-SSL-Certificate

In 2014 Google announced HTTPS as a ranking factor. After that, the people started to care about HTTPS SEO more.

Google is encouraging HTTPS Everywhere initiative because they want to protect the data of every online user.

HTTPS or SSL is not a new thing; It has been used by a lot of websites to protect the private information of the users.

Web sites that accept user input such as Username & Password, Credit Cards or any sensitive information. Such websites include payment gateways or payment processors like PayPal, Payoneer, E-commerce sites like Amazon, Ebay, Email service providers like Gmail, Yahoo Mail, etc.

But since the Google has announced HTTPS as a ranking signal every site has started to opt for HTTPS enable website.

50% of the first page results in Google shows HTTPS URLs.

https 50 percent top pages

Recently, Google has started to show Not Secure tag in the Chrome Browser address bar for the non-SSL websites containing Username and Password form.

not-secure

Google cares security of the users, and they may take a further step to show red colored not secure tag for all the websites which are not using SSL certificates.

ssl-not-secure-warning

Firefox is also taking same initiative for more secure browser experience.

This guide will help you to understand everything about HTTP, HTTPS, SSL & HTTPS SEO.

What is HTTP & HTTPS?

HTTP and HTTPS are both protocols used to communicate over World Wide Web (WWW).

HTTP (HypertText Transfer Protocol):

HTTP is an application layer protocol which is the base of data communication over the internet. It stands for HyperText Transfer Protocol.

It transfers or exchanges the hypertext information such as links, texts between two endpoints. One endpoint is an application user, and another is a server.

People store the hypertext information on the server. The user can access the information using Browser(Application).

It means when you enter the address of a website in the browser such as Google Chrome or Mozilla Firefox, HTTP protocol connects with the server where the information of the website has been stored and transmits that information back to the browser.

If your website is using HTTP protocol to transfer or exchange the information, It is vulnerable to different types of attacks because connection over HTTP is not encrypted.

http-working

Unencrypted HTTP protocol does not protect data from modification, eavesdropping, tracking and leads to the Man-In-The-Middle attack.

If the connection is not encrypted, It exposes sensitive information and leads to Privacy Vulnerability.

The data sent over HTTP protocol include website contents; user submitted information via forms, search terms, etc.

Hackers would use this information for the malicious purpose.

It doesn’t mean that HTTP protocol does not have any benefit.

One benefit of HTTP is, It is Stateless. Stateless protocols never store any information about its previous session.

Data about the last session never be added in the current session of HTTP headers, so the speed of the data transfer gets increased.

HTTPS (HypertText Transfer Protocol Secure):

Well, HTTPS is same as HTTP regarding it’s working, except the connection between application user and server is always encrypted with 256-bit encryption (2048-RSA Key). It stands for HyperText Transfer Protocol Secure.

HTTPS encrypt the connection with Secure Socket Layer(SSL) and Transport Layer Security (TLS).

TLS is a network protocol which encrypts the connection between authenticated Application User & Server.

HTTPS encrypts and protects all information such as user submitted form data, query string parameters, cookies, URL Paths, etc.

It authenticates the website for an application user and then presents the hypertext information.

https working image

Encrypted connection prevents attackers from modifying the information and Man-In-The-Middle attacks.

However, HTTPS is not the solution for all your security concerns. It doesn’t mean If your website has HTTPS then your site will never get attacked.

HTTPS provides integrity of data between Application User and Server. It does not protect Server from being attacked or hacked.

If you want to protect your website from the server or malicious attacks, I would strongly recommend using Sucuri in conjunction with HTTPS.

HTTP vs HTTPS:

If you log into your bank account over HTTP unencrypted connection then an attacker would easily get your bank account credentials.

If bank website has HTTPS connection, then you will not compromise your bank account credentials.

InstantSSL has nicely illustrated the HTTP vs HTTPS:

http vs https

What is SSL Certificate?

Now:

You know HTTPS is important for both security and SEO purpose but how to have HTTPS connection for your website?

You have to install SSL certificate for your website on your server. That’s It.

Let’s go in detail (Technically):

SSL Certificate contains a lot fields such as Certificate Version, Certificate Algorithm, Certificate Issuer, Validity, Subject Public Key Value, Certificate Subject Alternative Names, etc.

SSL uses public key and private key to encrypt the data sent over HTTPS.

A private key is kept protected and only known to the owner of the certificate (Website).

A public key can be distributed to anyone who wants to decrypt the information which was encrypted with the private key.

When you request HTTPS page of a website from the browser, a server sends public key and copy of SSL certificate.

Browser checks various parameter present in the SSL certificate such common name, SSL Certificate Status (Unexpired, Expired, Revoked).

The most important parameter checked at this step is trusted Certificate Authority (CA).

If authority who provided the certificate is not trusted, then the browser will show the Invalid Certificate Authority error.

untrusted root ca

If you want to know How different SSL errors show different messages check out badssl.com

If everything is fine, Browser generates session key using the public key.

Later, Server uses the private key to decrypt session key provided by the browser and sends back an acknowledgment to the browser that everything is okay and we can start encrypted communication using session key.

SSL Handshake:

ssl-handshake

SSL certificate provider needs to be trusted by all major browsers. These are a few certificate authorities which are trusted by all major browsers:

  1. COMODO
  2. GeoTrust
  3. Thawte
  4. RapidSSL
  5. Symantec

COMODO is one of the lowest cost & Symantec is one of the highest cost SSL certificate authorities.

Types of SSL Certificates:

At any point of time SSL Certificate fall into the combination of Domain Acceptance and Validation Implementation:

Your SSL Certificate can be the combination of any of these two types. Each has its advantages & risks.

1. Domain Acceptance:

Single Domain:

You can install single domain certificate for only one domain but you can not install it for your other domains.

When you install single domain certificate, you can access your website over HTTPS protocol by entering https://yourwebsite.com or https://www.yourwebsite.com

Yes:

Even If it is a single domain certificate, www version of your site also accessible via HTTPS but for better SEO and to avoid duplicate content issues you should prefer only one version, either www or non-www.

Every SSL Certificate has a Certificate Subject Alternative Name field.

This field denotes what other alternative domains using same SSL certificate are.

If the field contains only two values yourwebsite.com and www.yourwebsite.con then it is a single domain certificate. dmarketer.com is using single domain certificate from COMODO provided by Namecheap.

single domain SAN

Wildcard Domain:

Wildcard domain is also for the only single domain, but you can install the certificate on multiple subdomains.

It means you can install wildcard SSL certificate on yourwebsite.com, www.yourwebsite.com, app.yourwebsite.com, forum.yourwebsite.com, etc.

If the Certificate Subject Alternative Name field contains the asterisk (*.yourwebsite.com), then the certificate is a wildcard. Kissmetrics.com uses the wildcard certificate.

wildcard domain SAN

Wildcard certificate may create potential risk.

As we can use it for multiple subdomains, If you compromise private key then an attacker may create phishing website with proper SSL setup.

If your secure domain is https://secure.yourwebsite.com, then an attacker who has SSL certificate private key will create another domain https://secur.yourwebsite.com, and it is impossible to detect the error for the average users.

Multi Domain:

You can install the multi-domain certificate for more than one domain. It is also called as “Unified Communications” or “UC” certificates.

It means you can install Multi-domain certificate on yourwebsite.com, youranotherwebsite.net, yourfirstwebsite.org

If the Certificate Subject Alternative Name field contains more than one value, then it is a multi-domain certificate.

Sometimes it may have the asterisk (*) making it multi-wildcard domain certificate.

Google uses the multi-domain certificate, and it is obvious for them.

multi-domain-SAN

The multi-domain certificates are high cost and also has some issues associated with it.

If your Certificate Subject Alternative Name field contains a lot of fields, then the size of the certificate get increased.

It may increase the site load speed, but it is a minor issue.

With the multi-domain certificate, you can add or remove multiple websites. If you do so, you must reissue and replace the certificate on all other websites which it protects.

This is the extra overhead associated with the multi-domain certificates.

2. Validation Implementation:

Every SSL certificate goes through validation methods. After all, SSL is a trust factor.

People trust the website watching the green padlock or bar in the browser’s address bar.

Domain Validation:

Domain validation certificates only validate the domain.

If the domain belongs to the certificate requesting entity, then certificate authority provides the SSL certificate.

Different types of domain validation methods are used to confirm the certificate requesting entity ownership of the domain such as:

  • WHOIS Email – You have to click on the link received in your email.
  • DNS – You have to add CNAME or TXT record in your DNS records or DNS zone file.
  • HTTP – You have to upload the given file at the root of your website folder on the server.
  • HTTPS – You have to upload the given file at the root of your website folder on the server.

You could use either method to validate your domain.

Domain validation method does not require any paperwork. Once you verify the domain, you can get the certificate within 2-10 minutes.

Organization Validation:

Organization Validation Certificate verifies the domain and the organization/business.

Once you validate your domain and organization, you will get your SSL certificate.

Organization Validation requires paperwork. The certificate authority will check whether your company is legally registered or not?

You will receive SSL certificate within 1 to 8 days once certificate authority verifies your business.

Both domain validation and organization validation certificates get the green padlock in the browser.

Different browsers and padlock for the domain and organization validated certificates:

ssl padlocks domain validation

Extended Validation:

Extended Validation is the highest level of validation certificate.

The certificate authority verifies a lot of information about your organization before providing Extended Validation SSL certificate.

The process and time of validation, are more as compared to Domain or Organization validation but it is worth it.

Extended validation certificate provides green address bar & your company name on it; this will increase the trust of your website visitors.

Sites with Extended Validation certificate have seen 5% – 28% increase in the web traffic & sales volume.

Certificate Authority conducts a thorough assessment of the organization & follows the strict guidelines provided in CA/Browser forum.

It includes verification of:

  • Legal, Physical & Operational existence of business.
  • The organization has right to use the domain specified in the SSL certificate.
  • The organization has authorized the issuance of the certificate.

Different browsers and padlock for the extended validated certificates:

ssl-padlock-extended-validation

(I found Opera browser treats all the certificates in the same way.)

Extended validation may take 2 to 10 days to provide an SSL certificate.

As I already told you that SSL certificate types include the combination of Domain Acceptance and Validation Implementation methods.

SSL certificate can be of type:

  1. Single Domain with Domain Validation
  2. Multi Domain with Domain Validation
  3. Wildcard Domain with Domain Validation
  4. Single Domain with Organization Validation
  5. Multi Domain with Organization Validation
  6. Wildcard Domain with Organization Validation
  7. Single Domain with  Extended Validation
  8. Multi Domain with Extended Validation

Certificate authorities do not provide Wildcard Domain with Extended Validation due to potential risk associated with it.

How to Install SSL certificate?

Now:

You are aware of What is SSL certificate and its types. Once you choose the best SSL certificate type for your website, you have to buy it and install it.

If you have chosen Domain Validation Certificate, then your website will be HTTPS ready in a few minutes.

If you have chosen Organization Validation or Extended Validation certificate, then It will take a few days to get your SSL certificate.

Follow the steps below to Buy & Install SSL Certificate for your website:

Step 1: Buy SSL Certificate:

I use NameCheap SSL Certificates for my website. Namecheap provides COMODO SSL Certificates because they are low cost and has a high-quality.

If you want to use SSL Certificate from other Certificate Authorities, then you can buy from GoGetSSL.

I will demonstrate Namecheap, but you can use the same process for GoGetSSL or any other SSL Certificate Provider.

Go to NameCheap SSL Certificates & buy the domain.

namecheap-ssl

Step 2: Disable WHOIS Guard of your domain:

Each type of SSL certificate require Domain Validation, and Email is the best way to do it.

Certificate Authority will send an email with validation link to your WHOIS email address.

If you have enabled WHOIS; Do log into your domain registrar and disable your WHOIS guard.

disable whois

Also, make sure that your web host has given you a dedicated IP address. You can not install SSL Certificate without dedicated IP address.

If you don’t have one, contact your web host and get a dedicated IP address.

If your server supports Server Name Indication, you don’t even need a dedicated IP address.

Step 3: Generate CSR:

CSR stands for Certificate Signing Request. You can generate it from your web hosting account.

I am using Bluehost for my website so that I can manage SSL certificate related activities from cPanel.

Click on the SSL/TLS Manager.

ssl manager

On the next screen, click on “Generate, view, or delete SSL certificate signing requests”.

csr link

This step will generate CSR. Enter all possible information. If you are using wildcard SSL certificate, then enter *.yourwebsite.com under Domains section.

generate-csr

This form will generate CSR, copy the encoded certificate signing request.

If you don’t have cPanel, you have to consult with your web hosting provider or hire an IT person to install SSL for you.

Step 4: Download SSL Certificate:

Log into NameCheap or ( the site of which you bought SSL) & click on “Product List” from the left sidebar.

You will see a list of the products. Click on Manage to start Domain Validation process.

Enter the copied CSR, Select the server type & Click on Submit button.

paste-csr-1

On the next screen check the information validity and click on the next button.

validate-csr

On the next step, Select Domain Validation method as Email. Select your email from the list. You should have access to the selected email address.

email validaion 3

Verify the domain administrative contacts & click on the Next button. On the next screen click on Confirm.

final-validation-4

After a few minutes, you will get an email from COMODO Security Services.

  1. Copy the code
  2. Click on the link
comodo email

Paste the code on Domain Control Validation Page. Click on next; It will show you a success message.

dv 1

After a few minutes, you will get another email containing attached certificate, Download and extract the certificate.

This certificate contains two files:

  1. yourwebsite_com.crt
  2. yourwebsite_com.ca-bundle

Step 5: Install Downloaded Certificate:

You have your SSL certificate files; You just have to upload these files to your server.

Go to SSL Manager on your web hosting account & click on “Generate, view, upload, or delete SSL certificates” link.

Then upload the two files one by one:

yourwebsite_com.crt:

crt upload

yourwebsite_com.ca-bundle:

ca-bundle-upload

Once you upload the certificates to your hosting account, check your website with HTTPS protocol, https://yourwebsite.com

It may give an error, but don’t worry, It happens because of the absence of intermediate and root certificates.

Contact your web hosting provider and tell them to install intermediate certificates.

If your web host provider is not helping, you can generate the intermediate certificates yourself.

Visit https://certificatechain.io/ and upload the .crt file.

certchain

It will give trust chain file, download the file and upload it to your web hosting account. (Same way as you uploaded the previous two files.)

Once you have uploaded the required certificates test your website with Qualys SSL Labs Server Test Tool:

dmarketer ssl score

Don’t worry if you haven’t received the A+ grade, just check whether the SSL certificate is working or not?

If you follow the steps below, you will get the A+ grade for your website.

Steps to do after SSL certificate installation:

Ahrefs in one case study said that HTTPS was not working correctly on 65% of the top 10000 domains & 90% of the domains are using sub-optimal HTTPS implementation.

ssl infographic

So it is crucial that you must check your website for complete SSL implementation.

Once you install SSL certificate, you would able to access your website over HTTPS protocol.

Do not perform below steps unless your website is accessible with HTTPS.

Below steps are so important for HTTPS SEO implementation.

Choose your preferred site URL:

When you have SSL certificate installed on your site, you can access it via two URLs:

  1. https://yourwebsite.com
  2. https://www.yourwebsite.com

Choose your URL and use it everywhere such as Google Search Console, Google Analytics, etc.

Change WordPress address and Site address:

This step is applicable only if you have installed SSL certificate for your WordPress website.

Log into your WordPress dashboard and head to Setting. Change the WordPress URL & Site URL with HTTPS protocol; this is your preferred site address.

change-site-address

If you are using any other CMS, find the similar setting and update the site address.

Add below snippet code in your .htaccess file:

Your website can be accessed via four different URLs when you install SSL certificate:

  1. https://yourwebsite.com
  2. https://www.yourwebsite.com
  3. http://yourwebsite.com
  4. http://www.yourwebsite.com

It means three copies of your original content which is content duplication issue in SEO.

If the user enters any of the above four URLs in the browser, every URL should redirect to the preferred site URL.

If you are using Apache, then find the .htaccess file at the root of your website folder. If you have cPanel, then you could use File Manager to do the same.

Copy the below code and add it to the top of the .htaccess file and replace yourwebsite.com with your preferred URL.

# START SSL Redirect
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://yourwebsite.com%{REQUEST_URI} [R=301,L] </IfModule>
# END SSL Redirect

If you are using Nginx, copy the below code and find the correct place to replace it in your nginx.conf file.

server {
listen 80;
server_name yourwebsite.com www.yourwebsite.com;
return 301 https://yourwebsite.com$request_uri;
}

Above code also solve redirection issue of your website.

If your preferred domain is https://yourwebsite.com & if the user accesses your website with http://www.yourwebsite.com then the user will be directly redirected to your preferred domain.

In this same scenario, a few .htaccess code redirect http://www.yourwebsite.com to https://www.yourwebsite.com & then https://yourwebsite.com.

If your website is using more number of redirects, then it will impact your site loading speed.

Add HTTP Strict Transport Security header:

HTTP Strict Transport Security (HSTS) is vital to prevent Man-In-The-Middle attacks.

Suppose, If you manually entered your website in the browser using HTTP protocol, http://yourwebsite.com then it will redirect to https://yourwebsite.com, but the first request sent was unencrypted because of the HTTP protocol.

Even If we redirect to secure HTTPS, our first request is HTTP and attacker could mount Man-In-The-Middle attack to intercept the initial HTTP request and can control the user’s session from then on.

Well, You can prevent this easily by adding HSTS header in your .htaccess file.

Copy the below code and add it below your SSL redirection code:

# Start STS
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains;" env=HTTPS
# End STS

If you are using Nginx add the below code in your SSL Server Block below server_name:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

This code will instruct the browser that the website will only be accessed over HTTPS protocol even If the user enters it with HTTP.

It will speed up your website, eliminate extra redirects & improves the security of your website.

Troubleshoot .htaccess redirection:

Sometimes https redirection won’t work as intended after adding above .htaccess code. It is because of the false condition values.

In above .htaccess redirect code snippet, the second line is RewriteCond. It will check the condition, and if the condition does not provide the value as intended, then SSL redirection fails.

Below are three .htaccess code snippets, you should try if the above code is not working:

Do not forget to replace yourwebsite.com with your domain.

Check with Server Port:

# START SSL Redirect
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://yourwebsite.com%{REQUEST_URI} [R=301,L] </IfModule>
# END SSL Redirect

Check with HTTP Host:

# START SSL Redirect
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_HOST} ^yourwebsite.com [NC,OR]
RewriteCond %{HTTP_HOST} ^www.yourwebsite.com [NC]
RewriteRule ^(.*)$ https://yourwebsite.com%{REQUEST_URI} [R=301,L]
</IfModule>
# END SSL Redirect

Check with X-Forwarded protocol:

# START SSL Redirect
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://yourwebsite.com%{REQUEST_URI} [R=301,L] </IfModule>
# END SSL Redirect

I hope any of the above codes would work. If the code is not working or If you are facing any difficulties contact your web hosting provider or Let me know in the comments.

HTTPS SEO

Installing SSL certificate is beneficial not only for higher ranking in search results but to improve trust and security of your site visitors.

Benefits of Installing SSL:

  • Improves search ranking: Google checks over 200 ranking factors to display the search results. HTTPS is a minor ranking factor but you will win if you have installed SSL & there is a tie between you and your competitor ranking factors.
  • High Data Security: Every connection and data are encrypted with 256-bit encryption 2048-bit RSA key. When traffic passes through HTTPS no one can alter the data.
  • Maintain Privacy: If your website has SSL certificate installed, it will maintain the privacy of the data sent over HTTPS. Data will not be modified or tempered because of SSL.
  • Maintain Trust: You will earn the trust of your site visitors If your website has SSL certificate installed. Trust can boost your traffic, conversion rate, and sales volume.

HTTPS SEO Tips:

Do not worry about 1 to 4 tips, If you have implemented the steps after installing SSL certificate.

  1. Your website must have only one canonical version of HTTPS. All other URLs should 301 redirect to your preferred site address.
  2. Redirection should be in direct form. Do not use multiple redirect chain like http://www.yourwebsite.com to https://www.yourwebsite.com to https://yourwebsite.com
  3. Every redirect should return permanent 301 redirects. Do not use 302 temporary redirects, It will cause indexing problem, and you may lose link juice.
  4. Implement HTTP Strict Transport Security to instruct browsers to use only HTTPS version of the web pages.
  5. Make sure to add canonical tag on every page pointing to HTTPS version. Yoast SEO WordPress plugin will do it for you.
  6. Check for mixed contents. All your CSS, Javascript, Images and other files should use HTTPS. Otherwise, your website will not be fully encrypted. If you are using CDN then use SSL version of CDN Host.

I would recommend using SSL for your all websites. It will help you to take your business to the next level.

Follow these HTTPS SEO tips and make sure that you have fully encrypted and perfectly installed SSL certificate.

Conclusion:

Installing SSL certificate is not sufficient. You should take care of all other things regarding HTTPS. Perfect SSL installation is necessary to take the benefits of HTTPS SEO.

It is easy to install SSL, but it takes the time to make it perfect. This time is worth it as it will give you a lot of perks.

Install SSL Certificate to improve ranking, Security & Trust of your users.Click To Tweet

Have you installed SSL certificate on your website? If Yes, is it perfectly installed?

Thanks in advance for sharing this definitive guide.