SSL Certificates Explained

SSL (technically TLS, though the older name persists) is the protocol that encrypts data between a browser and a server. The padlock icon in a browser’s address bar and the “https://” prefix are the visible signs that SSL is active on a site. Every website needs it, regardless of whether it handles payments, collects form data, or is just a static brochure site — since 2018, Chrome marks plain HTTP sites as “Not Secure” in the address bar, which materially affects visitor trust and signals to Google’s indexing system that a site has not been properly maintained.

The certificate itself is a cryptographic file that does two things: it proves to a browser that the server claiming to be yourdomain.com is actually yourdomain.com (not an impersonator), and it establishes the encrypted connection. Certificates are issued by Certificate Authorities (CAs) — organisations that verify identity and sign the certificate. The major CAs are DigiCert, Comodo/Sectigo, Let’s Encrypt, and (for free certificates) Cloudflare’s own CA.

The three certificate types are Domain Validation (DV), Organisation Validation (OV), and Extended Validation (EV). A DV certificate confirms that the applicant controls the domain — nothing more. The verification is automated: you prove domain control by adding a DNS record or serving a verification file, and the CA issues the certificate, often within minutes. Let’s Encrypt is the most widely used DV CA and issues free 90-day certificates that auto-renew; Cloudflare issues DV certificates free to any site using its proxy. OV certificates include verified information about the organisation — legal name, country, state — which requires manual vetting by the CA and takes one to three business days. EV certificates are the highest tier: the CA verifies the full legal identity of the organisation, a process that takes up to a week. Both OV and EV certificates cost money; EV certificates from Sectigo via Namecheap start around $80–100/year. The practical value of OV and EV over DV is limited for most purposes: browsers stopped displaying the green address bar with company name for EV certificates in 2019, and users generally cannot tell the difference between a DV and an OV certificate from the browser UI. OV and EV matter primarily for regulatory compliance, for financial services sites where institutional trust signalling is required, and in B2B contexts where security-conscious procurement teams check certificate details.

For the vast majority of sites, a free DV certificate is the correct and complete solution. Cloudflare issues free SSL certificates to any site using its proxy (including the free Cloudflare tier) with automatic renewal and zero configuration beyond enabling the proxy. Most managed WordPress hosts — Kinsta, WP Engine, SiteGround — issue free Let’s Encrypt certificates automatically as part of the onboarding workflow. Namecheap sells paid DV, OV, and EV certificates from Comodo/Sectigo at competitive prices — their PositiveSSL DV certificate runs around $7–9/year — which is useful if you need a certificate for infrastructure that is not behind Cloudflare and where your host does not provide Let’s Encrypt automation.

The one scenario where a paid certificate has clear practical value beyond compliance theatre is multi-domain (SAN) or wildcard certificates. A wildcard certificate covers the root domain and all first-level subdomains (*.yourdomain.com) under a single certificate, which reduces management overhead for organisations running multiple subdomains. Let’s Encrypt issues wildcard certificates but the renewal automation requires DNS API access, which is technically more involved. Namecheap’s wildcard certificates from Sectigo start around $40–50/year and the issuance process is well-documented.

When to pick what: use Cloudflare’s free SSL for any site already on Cloudflare’s proxy — zero configuration, automatic renewal, excellent reliability. Use your managed host’s built-in Let’s Encrypt integration (available at Kinsta, WP Engine, SiteGround, Cloudways, and most modern hosts) if you are not using Cloudflare proxy. Buy a paid DV certificate from Namecheap if your hosting environment does not support Let’s Encrypt automation. Buy an OV or EV certificate only when your industry, compliance framework, or client contracts specifically require it.