SSL certificate — in one sentence
An SSL certificate (technically TLS, but the market still says SSL) is a digital credential that encrypts traffic between a browser and your website. Without it, passwords, payment data, and personal information travel in plain text and anyone listening on the network can read them.
By 2026, every website needs HTTPS. Without an SSL certificate, Chrome, Firefox, and Safari display a “Not Secure” warning, Google penalises you in rankings, and serving any personal data over HTTP violates GDPR.
What an SSL certificate actually does
Three things at once:
- Encrypts traffic — TLS uses AES-256 or ChaCha20 to scramble communication.
- Authenticates the server — a trusted Certificate Authority (Let's Encrypt, DigiCert, Sectigo) vouches that
appforge.hureally is the AppForge server. - Guarantees integrity — data cannot be modified mid-flight.
To users this is a green padlock in the address bar (or a Not Secure warning if missing). Behind the scenes, it is the trust foundation of the modern web.
SSL types in 2026
| Type | What it validates | Typical price | Best for |
|---|---|---|---|
| DV (Domain Validated) | You own the domain | Free (Let's Encrypt) – $80/yr | Marketing sites, blogs |
| OV (Organization Validated) | You + your company exists | $80–200/yr | Ecommerce, B2B sites |
| EV (Extended Validation) | Deep company verification | $200–600/yr | Banks, payment providers |
| Wildcard | *.appforge.hu (all subdomains) | $150–500/yr | Multi-subdomain |
| Multi-Domain (SAN) | Multiple domains in one cert | $250–1,000/yr | Brand groups |
How to get an SSL certificate — three scenarios
1. Modern hosting (Cloudflare Pages, Vercel, Netlify) — automatic, free
If your site runs on Cloudflare Pages, Vercel, or Netlify (the stack we typically ship), SSL is built in. Connect your domain and HTTPS is live within 5–30 minutes. Renewal is fully automatic every 60–90 days.
2. Traditional hosting (cPanel, Plesk) — Let's Encrypt one click
cPanel hosts have an “AutoSSL” or Let's Encrypt button. One click, 5 minutes, done. Auto-renewal included.
3. Self-managed server (VPS, dedicated) — Certbot
If you run your own VPS (Hetzner, DigitalOcean, AWS), use the certbot CLI:
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d appforge.com -d www.appforge.comCertbot configures the web server, fetches the cert, and adds a renewal cron job. 5–10 minutes the first time.
Does SSL really impact SEO?
Yes, measurably:
- Google ranking signal since 2014 — not new, but in 2026 it is table stakes, not a bonus.
- Core Web Vitals — HTTP/2 and HTTP/3 only run over HTTPS, and they are materially faster than HTTP/1.1. Typical page-load improvement: 200–500 ms.
- Trust signal — the Not Secure warning hurts. Studies show 23–40% immediate bounce on flagged pages.
Common SSL mistakes we see
1. Mixed content — page is HTTPS, but assets are not
The page is HTTPS but an embedded image or script loads via HTTP. The browser warns, Google penalises. Fix: every URL HTTPS, or protocol-relative (//cdn.example.com).
2. Expired certificate
Let's Encrypt expires every 90 days. If auto-renewal breaks, the site flips to Not Secure overnight. Always set up monitoring — UptimeRobot SSL monitor or similar, alerting 14 days before expiry.
3. Bad TLS configuration
Server still supports TLS 1.0 / 1.1 (deprecated) or weak cipher suites. Mozilla SSL Labs (ssllabs.com/ssltest) grades for free. Modern 2026 stack: TLS 1.2 and 1.3 only, ECDHE+AES256-GCM.
4. Cert covers only www. or only apex
www.example.com and example.comare separate hosts. Both need a cert (or a 301 redirect to one). Let's Encrypt handles both with -d www.example.com -d example.com.
SSL and GDPR — the legal angle
GDPR Article 32 requires data processors to apply appropriate technical security measures. Transmitting personal data (e.g. a contact form) over plain HTTP is a GDPR violation. Hungarian DPA fines for this start around €13k as of 2024.
What to expect from a developer or agency in 2026
A modern web build (e.g. what AppForge ships) includes by default:
- HTTPS on every page, auto-renewal
- HSTS header (
Strict-Transport-Security) - TLS 1.2 / 1.3 only, A+ SSL Labs grade
- HTTP/2 or HTTP/3
- Pre-launch mixed-content audit
- SSL monitoring
If a developer does not mention these unprompted, that is a red flag. See our how to choose a web development agency guide.
Conclusion
How much does an SSL certificate cost in 2026?
For most companies, $0. Let's Encrypt issues free DV certificates and modern hosting (Cloudflare Pages, Vercel, Netlify) bundles a free cert with auto-renewal. Paid certificates only make sense in regulated industries — finance, healthcare — where OV or EV validation has compliance value.
Can one certificate cover multiple domains?
Yes. A SAN (Subject Alternative Name) certificate covers multiple domains in a single cert. Let's Encrypt supports up to 100 domains per cert. A wildcard cert (`*.example.com`) covers any subdomain of one apex.
Does a bad SSL certificate break the site?
From a visitor's perspective — yes. Expired or misconfigured certificates trigger red browser warnings (Chrome's `NET::ERR_CERT_DATE_INVALID`) and most users will not click through. Always set up monitoring (e.g. UptimeRobot SSL monitor) with a 14-day expiry alert.
Is HTTPS still a Google ranking factor in 2026?
Yes. It has been a confirmed ranking signal since 2014. In 2026 it is table stakes, not a bonus — your competitors all have HTTPS, so going without it is a pure penalty. HTTPS also unlocks HTTP/2 and HTTP/3, which improve Core Web Vitals by 200–500 ms.
What about HSTS — is it really necessary?
Strongly recommended. HTTP Strict Transport Security tells browsers to never connect over plain HTTP, which prevents downgrade attacks. Add `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` to your HTTPS responses. Submit your domain to the HSTS preload list once you are confident in the configuration.
Do I need an EV certificate for a payment site?
Probably not. Browsers have not displayed the green company name bar since 2019, so EV's main UX advantage is gone. PCI DSS compliance does not require EV — DV with TLS 1.2/1.3 and proper cipher suites is enough. EV makes sense only if your bank or insurer specifically demands it.
Want a free SSL and security check? Book a quick consultation and we will audit your SSL setup, HSTS, TLS configuration, and mixed content alongside the rest of your site.
