For a long time, SSL encryption was considered only a "nice to have" by webmasters. But establishing a secure connection between client and server offers more benefits than you think.
At the latest since Google in August 2014 "https" declared to be a ranking factor, website operators should inform themselves about how encryption of their website works. Since the 1. January 2017 secure connections are also indicated by the specification of "https" are marked before the URL in the SERPs. However, there are still many websites that are offered without SSL encryption. In this article we will show you how to set up an SSL certificate for your website and what to look out for when doing so.
Which steps are necessary for SSL encryption??
- Consider which SSL certificate you need.
- Buy the certificate from a provider.
- Install the SSL certificate on your server.
- Select which folders, subpages etc. you want to decrypt. to be encrypted.
- Check SSL encryption with a tool.
What is SSL?
SSL stands for "Secure Socket Layer and refers to an encryption protocol. Strictly speaking, SSL is the predecessor of TLS (Transport Layer Security), but the term SSL is used for both versions. TLS is a modified version of the last version of SSL, which eliminates some critical vulnerabilities of SSL. The use of an encryption protocol ensures that data transfers are encrypted and therefore more secure.
What happens during SSL encryption?
When a website is secured by SSL, the connections between a client and the server are encrypted. This means that visitors can call up your website securely with their browser and, for example, enter data when placing an order without this data being read by third parties. In order to establish a secure connection between the browser and the server, the browser asks the server whether it belongs to the called domain. In order to confirm this connection, an SSL certificate is required, which thus represents a kind of proof of legitimacy of the website.
The required SSL certificates are issued by so-called "Certification Authorities" (CA) or "Certificate Authorities" assign. If the SSL certificate is issued for a publicly accessible website, the corresponding CA first verifies all information about this site. The certificate is then publicly viewable and deposited with the CA. To create the encryption, the public key is used first to secure the transmitted information. Only with a second key, which is stored on the certified server, this data can be decrypted.
Select the appropriate SSL certificate
There are various providers of SSL certificates authorized by the CA Security Council. The CASC is an interest group that wants to increase security on the Internet. Some of the well-known providers of SSL certificates are GlobalSign, Geo Trust, Symantec, AlphaSSL, RapidSSL and Thawte.
When choosing the appropriate SSL certificate, it is important whether the domain to be protected is publicly accessible or not. Public SSL certificates can only be issued for public domains, because the certificate authorities cannot clearly assign the ownership of private servers or an intranet. For this reason, the following is mainly about SSL certificates for public websites.
SSL certificates are available in different trust levels. It is important how much information a transmitted file contains and how strongly it is protected.
Basically, there are three different SSL certificates available:
1. Extended Validation (EV) – highest level of encryption
2. Organization Validated (OV) – medium encryption level
3. Domain Validated (DV) – lowest level of encryption
If you now want to decide for a certificate, you should first ask yourself how much security and trust you want to offer your visitors. Also consider how strong your brand is so far. For example, your brand can be associated with the certificate and all domains published under the brand will be protected.
1. Extended Validation or EV certificate
In order to obtain this certificate, a large amount of information is requested from the issuing authorities. The criteria are considered to be the strictest that must be met in order to obtain SSL encryption. Not only a single site is certified, but the entire company.
The EV certificate assures visitors that your website is operated by your company and that connections to these domains are secure.
2. Organization Validated or OV Certificate
These SSL certificates also include an authentication of your company. To obtain the certificate, the respective company checks some data that you provide. However, your information is not highlighted as much as with the more comprehensive EV Certificate. If visitors want to see this data, they have to call up the individual details separately.
3. Domain Validated or DV Certificate
A DV certificate also encrypts your website via SSL. But in fact the certificate contains much less data about you and your company. The DV certificate is just a validation that you are the owner of the website and actively manage the site. However, such a certificate does not confirm that it was issued specifically for your company or that your site is actually operated by your company. It is therefore recommended, especially for online stores or other commercially operated websites, to use at least the OV certificate.
Figure 1: Infographic on how to set up an SSL certificate from Ryte.
One domain or several?
In the next step, you should check whether you need SSL protection for only one domain or for a whole series of domains. If you only want to secure one domain, a single domain certificate or a so-called "standard certificate" is sufficient. You can choose between the three authentication levels here.
If you want to secure multiple domains or subdomains with SSL, you can choose a multi-domain or wildcard certificate. At first the costs will be higher than for a single certificate, but in total it is cheaper to protect several domains with a multi-domain version. The certificates for multiple domains are also called "Subject-Alternate-Names-Certificates", called SAN certificates for short.
Integrate the SSL certificate
If you have purchased the SSL certificate from a provider, you will usually receive instructions from the provider on how to implement it. The steps are always similar:
Install the SSL certificate on your server. If you don’t use a dedicated server, some web hosts offer an SSL solution in just a few clicks. How the SSL certificate is implemented depends on your server type. A good overview of the installation of the SSL certificate on different servers such as Apache or Exchange can be found here.
Checklist – You should pay attention to these six points
After installing the SSL certificate, remember to set up a 301 forwarding from your website with http to https
This is how you prevent Google from indexing both versions further on. Due to duplicate content the Googlebot does not know which version should be preferred otherwise. This can ultimately hurt both versions in terms of their ranking.
Figure 2: Extract from the single page analysis of Ryte.
✓ Deposit your https domain in the Google Search Console
This is how you ensure that Google correctly determines data such as clicks or errors to your website. To do this, log in to Search Console with your Google account. Then click on "Add property" in the menu on the left.
There you have the possibility to create individual https properties to test them later. However, it always makes sense to register the entire domain in the Google Search Console. Because then you don’t have to enable a new property for each protocol individually.
Figure 3: Create domain or https page in Google Search Console.
✓ Store the https page in your web analysis tools
To ensure that your website is tracked correctly, you should also make the appropriate adjustment in the log for Google Analytics and other web analytics tools.
In Google Analytics, click on the cogwheel with the "Administration" button in the lower left corner. There you can change the website protocol with one click.
Figure 4: Change Google Analytics to https.
Adjust internal links and put https in front of them to make the connections secure
For this purpose, you can first check all templates and look for page-wide links. Overview pages can be checked manually. Also at this point the module "Website Success" can help you From Ryte to help.
Click for this in the area "Links on "Link Targets. After that you will see all internal link targets with the corresponding protocol. In the Pro version you have the possibility to export this list as an Excel table.
Figure 5: Check link targets with Ryte.
By means of a filter you can also check whether internal links with http are still available.
Figure 6: Check link targets with Ryte.
Correct links to your domain stored in AdWords or other advertising programs
Search for ad groups in the Google AdWords management interface. There you have the possibility to change the protocol for the link to your website to https. When adjusting the links, also think about the AdWords extensions such as sitelinks or offer URLs.
Figure 7: Change web page log in Google AdWords ads.
If you are running Google Shopping Ads, you should also change your address in the Google Merchant Center. Remember that the links to your products submitted in the CSV file will also be https-encrypted.
Also store the https domain with social network profiles such as Facebook or Twitter
To do this, log in to the appropriate profiles and change the protocol.
Figure 8: In the info view for a website, the https protocol is visible for a Facebook profile.
Costs and duration of SSL certificates
All SSL certificates are only issued for a certain period of time. As a rule, the selectable terms are between one and five years. Payment for an SSL certificate is always made in advance for the entire term of the certificate.
Simple DL-certificates are available for less than 100 Euro per year. When it comes to multi-domain SSL certificates or products with wildcards, the fees can also be more than 1.000 Euro per year. Prices vary from provider to provider and it is worthwhile to compare the costs before booking a certificate. Of course, there are also completely free providers such as letsencrypt.org.
Once you have decided on a certificate, it is usually easiest if you extend the duration each time. But you also have the option to switch to another provider or another certificate. This can be useful, for example, if you add a new site to your portfolio and want to turn a certificate for one domain into a multi-certificate.
Keep in mind, however, that the verification of your site may take a few days. By the way, your site will also be checked in case of a renewal. It is therefore best to request a renewal at least 30 days before the certificate expires or alternatively request the new certificate. This way you avoid double booking of certificates and double payment, because SSL certificates must always be paid in advance for at least 12 months.
An SSL certificate is elementary today, in order to create confidence with customers and visitors, as well as with Google. It is therefore all the more important that you also secure your site with SSL. For small blogs without registration forms or shopping carts, a simple certificate is usually enough. However, if you want to secure a webshop or run several commercial websites, a multidomain certificate or EV certificate is certainly the best solution. In all cases, it is important that you set up appropriate redirects after converting the website to https in order to avoid duplicate content. Because even the greats of our time understood the importance of a secured site.
Simplify your digital marketing with just one tool – Ryte Software Suite.