← Back to blogSEO & Performance

SSL Certificate Setup: A Complete Guide for 2026

Secure padlock icon in a browser address bar

An SSL certificate (more accurately, a TLS certificate) encrypts traffic between a visitor’s browser and a website. In 2026, it is non-negotiable: browsers warn visitors on any site without HTTPS, search engines rank HTTPS sites preferentially, and most modern web features (geolocation, service workers, payment APIs) require it. Free certificates from Let’s Encrypt or Cloudflare cover 95 percent of business needs. The setup takes 15 minutes on most hosts and renews automatically once configured.

What an SSL Certificate Actually Does

SSL (Secure Sockets Layer) is the original name. The protocol has been called TLS (Transport Layer Security) since 1999, but the term SSL stuck. Both refer to the same thing: a cryptographic certificate that proves a website’s identity and encrypts data in transit.

When a visitor loads an HTTPS page, three things happen. The browser fetches the certificate from the server. The browser verifies the certificate was issued by a trusted Certificate Authority (CA) and matches the domain. The browser establishes an encrypted session using the certificate’s public key. From that point, all traffic is encrypted end-to-end.

What HTTPS prevents:

  • Eavesdropping on coffee-shop Wi-Fi or compromised networks
  • Man-in-the-middle attacks injecting malicious code
  • ISPs or governments injecting ads or tracking pixels
  • Browser warnings that scare visitors away
  • Search engine ranking penalties

Types of SSL Certificates

Three certificate types exist. The differences mostly come down to validation level, not encryption strength.

Domain Validated (DV): the CA verifies that the requester controls the domain. Issued in minutes via DNS or HTTP challenges. Free from Let’s Encrypt. Used by 95+ percent of sites.

Organization Validated (OV): the CA verifies the organization exists and matches the domain registration. Takes 1 to 3 days, costs $50 to $200 per year. Visible in certificate details but not in the address bar.

Extended Validation (EV): the CA performs deeper organization verification. Used to show a green address bar with company name. Modern browsers no longer display the green bar prominently. Costs $200 to $1,000 per year. Rarely worth the cost in 2026.

For most marketing sites, DV is correct. For ecommerce sites with significant financial transactions, OV adds a small trust signal. EV is mostly legacy.

Two additional certificate scopes:

  • Single-domain: covers one specific domain (yoursite.com or www.yoursite.com)
  • Wildcard: covers all subdomains of one domain (anything.yoursite.com). Important for sites with many subdomains.
  • Multi-domain (SAN): covers multiple specific domains in one certificate. Useful for sites that own related domains.

Free Certificates: Let’s Encrypt and Cloudflare

Let’s Encrypt is a free, automated, non-profit Certificate Authority that has issued over 4 billion certificates. It is the default on most modern hosts.

Let’s Encrypt certificates have specific properties:

  • Free and unlimited
  • 90-day validity (forces automatic renewal habits)
  • DV only (not OV or EV)
  • Trusted by 99.9 percent of browsers
  • Issued via the ACME protocol

Cloudflare offers Universal SSL free to anyone using Cloudflare DNS or proxy services. The certificate is issued automatically when a domain is added. Cloudflare also offers Advanced Certificate Manager ($10 per month) for custom hostnames and longer validity.

For most businesses in 2026, the choice is between Let’s Encrypt (managed by the host) or Cloudflare Universal SSL (managed by Cloudflare). Both are free, both are trusted everywhere, and both renew automatically.

Setup on Common Hosts

The setup procedure depends entirely on the platform.

Cloudways, WP Engine, Kinsta: SSL is included. Click Install Free SSL in the dashboard and select Let’s Encrypt. Enter the email address. Done. The certificate provisions in 5 to 15 minutes and renews automatically.

cPanel hosts (SiteGround, Bluehost, HostGator): open SSL/TLS Status, click Run AutoSSL. Let’s Encrypt or Sectigo certificate provisions automatically.

Cloudflare (any host): add the domain to Cloudflare, update nameservers to Cloudflare’s, and SSL is automatic. Set the SSL/TLS encryption mode to Full (strict) for production sites.

AWS, Azure, GCP: use the cloud provider’s certificate manager (AWS Certificate Manager, Azure Key Vault, Google Managed SSL). Free and automated when used with the provider’s load balancers and CDNs.

Vercel, Netlify, Framer, Webflow: SSL is automatic. Add the custom domain in the dashboard, point DNS to the platform, and the certificate provisions in minutes.

Self-hosted (your own server): use Certbot, which automates Let’s Encrypt:

sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d yoursite.com -d www.yoursite.com
sudo systemctl status certbot.timer  # confirms auto-renewal is running

Certbot configures Nginx or Apache automatically and sets up a renewal timer.

Configuration Best Practices

Beyond the certificate itself, several settings determine real-world security.

HTTPS redirect: all HTTP traffic should redirect to HTTPS. Configure at the server, framework, or CDN level.

# Nginx redirect from HTTP to HTTPS
server {
    listen 80;
    server_name yoursite.com www.yoursite.com;
    return 301 https://$host$request_uri;
}

HSTS (HTTP Strict Transport Security): tells browsers to always use HTTPS for the domain, even if the user types http:// or clicks an old http link.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Submit the domain to the HSTS preload list at hstspreload.org once HSTS is working. Preloading bakes the HTTPS-only behavior into browsers permanently.

TLS version: disable TLS 1.0 and 1.1 (deprecated). Allow TLS 1.2 and 1.3. TLS 1.3 is faster and more secure than 1.2.

Cipher suites: use modern, strong cipher suites. Mozilla’s SSL Configuration Generator (ssl-config.mozilla.org) produces secure configurations for Nginx, Apache, and other servers. Test the result with SSL Labs (ssllabs.com/ssltest).

Aim for an A or A-plus grade on SSL Labs. Most modern hosts ship with appropriate defaults. The website speed optimization guide covers related performance concerns.

Mixed Content: The Hidden Trap

The most common SSL setup problem after switching to HTTPS is mixed content. The page loads over HTTPS but includes resources (images, scripts, stylesheets) over HTTP. Browsers either block these resources or display warnings.

Find mixed content with the browser’s DevTools console. Errors look like:

Mixed Content: The page at 'https://yoursite.com/' was loaded over HTTPS,
but requested an insecure resource 'http://other-site.com/script.js'.
This request has been blocked.

Fix by:

  • Updating absolute URLs in content to use https:// or protocol-relative // URLs
  • Running a database search-and-replace on WordPress to convert http://yoursite.com to https://yoursite.com
  • Using Content Security Policy upgrade-insecure-requests directive as a transitional measure

For WordPress, WP-CLI handles this in one command:

wp search-replace 'http://yoursite.com' 'https://yoursite.com' --all-tables

Tools like Why No Padlock (whynopadlock.com) and SSL Labs both report mixed content issues during diagnosis.

Renewal and Expiration

Let’s Encrypt certificates expire every 90 days. Other DV certificates renew annually. EV certificates renew annually.

Automatic renewal is the only acceptable approach. Manual renewal eventually fails because nobody remembers. Set up:

  • Cron jobs or systemd timers for Certbot
  • Monitoring that alerts 14 and 7 days before expiration
  • Test renewals quarterly to confirm they actually run

Tools like UptimeRobot and Better Uptime include SSL expiration monitoring at no extra cost.

Common SSL Setup Problems

Six problems cover 90 percent of setup issues.

Certificate not provisioning: usually a DNS issue. The domain must resolve to the server before Let’s Encrypt can verify ownership. Wait for DNS propagation (up to 48 hours) before troubleshooting further.

Certificate name mismatch: the certificate covers yoursite.com but the visitor accessed www.yoursite.com (or vice versa). Issue a certificate that covers both, or set up a redirect from one to the other.

Mixed content warnings: covered above. Audit and fix every http:// reference in content.

NET::ERR_CERT_DATE_INVALID: the certificate has expired or has not yet started. Check the renewal timer.

NET::ERR_CERT_AUTHORITY_INVALID: the certificate is self-signed or from an untrusted CA. Use Let’s Encrypt or another trusted CA.

Cloudflare flexible mode (the silent killer): Cloudflare’s Flexible SSL mode encrypts traffic between visitor and Cloudflare but uses HTTP between Cloudflare and the origin. This breaks WordPress redirects and login. Always use Full or Full (strict) mode in production.

Cost Comparison

For most businesses, the cost of SSL is zero. The exceptions:

  • OV certificates: $50 to $200 per year per domain
  • EV certificates: $200 to $1,000 per year per domain (rarely worth it in 2026)
  • Wildcard certificates from paid CAs: $100 to $500 per year (free from Let’s Encrypt)
  • Cloudflare Advanced Certificate Manager: $10 per month for custom hostnames

The total SSL cost for 99 percent of businesses is $0 per year using Let’s Encrypt or Cloudflare. The platform choice handles certificate management automatically.

Modern Web Features That Require HTTPS

Many web features only work on HTTPS:

  • Service workers and Progressive Web Apps
  • Geolocation API
  • Notifications API
  • Camera and microphone access
  • Payment Request API
  • HTTP/2 and HTTP/3 (faster protocols)
  • Most third-party authentication providers

Sites without HTTPS in 2026 have a degraded feature set, ranking penalty, browser warnings, and broken integrations. The cost of not setting up SSL exceeds the cost of setting it up by orders of magnitude.

For Framer-built sites that ship with SSL automatically configured, see our pricing. The Framer SEO guide covers related infrastructure.

Frequently Asked Questions

Are free SSL certificates as good as paid ones?

For most use cases, yes. Let’s Encrypt and Cloudflare Universal SSL provide the same encryption strength as paid DV certificates. The differences (organization validation, longer validity, dedicated support) matter only for specific edge cases. 95+ percent of businesses use free certificates without issue.

How long does an SSL certificate take to install?

On modern hosts (Cloudways, WP Engine, Kinsta, Vercel, Netlify, Framer, Webflow), 5 to 15 minutes from clicking Install to certificate active. On self-hosted servers, 30 to 60 minutes including configuration. DNS propagation can extend this to 24 to 48 hours if the domain is freshly pointed.

What is the difference between SSL and TLS?

TLS is the modern protocol. SSL is the older name (the last SSL version, SSL 3.0, was deprecated in 2015). Today everyone uses TLS but the term SSL has stuck for marketing reasons. When you see SSL Certificate, the actual technology is TLS.

Do I need a separate certificate for every subdomain?

No, if you use a wildcard certificate. A wildcard for *.yoursite.com covers all subdomains in one certificate. Let’s Encrypt issues wildcards free; paid CAs charge $100 to $500 per year. Most modern hosts handle this automatically.

What does Cloudflare’s Full (strict) SSL mode mean?

Full (strict) means traffic is encrypted both between visitor and Cloudflare AND between Cloudflare and the origin server, AND Cloudflare verifies the origin certificate is valid. This is the correct production setting. Flexible (HTTP between Cloudflare and origin) breaks redirects and is insecure. Always use Full (strict).

If you want a Framer build that ships with SSL configured automatically and platform-managed renewal, talk to our team.

Ready to build your Framer website?

Book a free strategy call to discuss your project.

Book a Strategy Call