What Is an SSL Certificate and Why Does Your UK Business Need One?

What an SSL Certificate Actually Does

An SSL certificate does two things: it encrypts data transmitted between the visitor's browser and your server, and it provides cryptographic proof of identity — confirmation that the website they are connecting to is genuinely the organisation it claims to be.

The encryption matters for any site handling personal data. Form submissions, login credentials, contact details — without encryption, this data travels across the internet in plain text, readable by anyone positioned between the browser and the server. On public WiFi networks, this interception is straightforward. On any network, the absence of encryption is a GDPR compliance risk for any site with a contact form.

The identity verification matters for trust signals. Browsers display a padlock icon when a valid SSL certificate is present. They display 'Not Secure' prominently when it is absent. A significant proportion of users abandon a form completion or purchase when they see this warning — and modern browsers now display it aggressively on any HTTP page containing an input field.

The Google Ranking Factor

Google confirmed HTTPS as a ranking signal in 2014. Since then, the weighting of this signal has increased, and in 2018 Chrome began marking all HTTP pages as 'Not Secure.' In practice, a website without a valid SSL certificate carries a ranking disadvantage — one that is entirely unnecessary to carry, given that SSL certificates are widely available at zero or minimal cost.

The signal is one of hundreds of ranking factors. But in competitive markets where the difference between ranking position 2 and position 5 is the cumulative sum of many marginal signals, removing an unnecessary negative is always the correct decision. Particularly when that removal carries no trade-off.

Types of SSL Certificate

Domain Validation (DV) certificates verify that the applicant controls the domain and are issued automatically within minutes. They are appropriate for most business websites where the primary requirement is encryption rather than extended identity verification.

Organisation Validation (OV) certificates require the certificate authority to verify the organisation's existence through business registration records. They carry a marginally higher trust signal and are appropriate for established businesses wanting to demonstrate verified organisational identity.

Extended Validation (EV) certificates involve the most rigorous verification process. Most modern browsers have removed the distinctive visual treatment historically associated with EV certificates, making them difficult to justify on cost grounds for most business websites.

For the overwhelming majority of UK business websites, a properly configured DV certificate from a trusted certificate authority — Let's Encrypt, Sectigo, or DigiCert — is entirely sufficient for both security and ranking purposes.

Certificate Expiry: The Avoidable Crisis

SSL certificates have a validity period, currently a maximum of 398 days. When a certificate expires, browsers display a full-screen warning to visitors: 'Your connection is not private' with the option to go back to safety. Most visitors choose to go back. The site becomes effectively inaccessible for the duration of the expiry.

Certificate expiry is entirely preventable. Automated renewal — available through Let's Encrypt and most managed hosting providers — renews the certificate 30 days before expiry without any manual intervention. Despite this, certificate expiry remains one of the most common avoidable causes of sudden website access failure encountered in annual site audits.

A certificate expiry with no monitoring in place can leave your site inaccessible for days before anyone in the organisation notices. Automated renewal costs nothing and eliminates the risk completely.