Certificados SSL explicados: tipos, custos e por que você precisa de um

An SSL certificate is a digital credential that authenticates the identity of a website and enables encrypted communication between the visitor's browser and the web server. When you visit a site with a valid SSL certificate, the browser displays a padlock icon in the address bar and the URL begins with HTTPS instead of HTTP. This visual indicator tells visitors that their connection is secure and that any data they transmit — login credentials, payment information, personal details, is protected from interception by third parties.

SSL stands for Secure Sockets Layer, though the technology has evolved significantly since its original incarnation. Modern implementations use TLS (Transport Layer Security), which is the successor to SSL. The terms SSL and TLS are often used interchangeably in practice, and when people say "SSL certificate" they almost always mean a certificate that supports TLS 1.2 or TLS 1.3. The distinction matters technically but not practically, what matters is that your site encrypts connections and verifies its identity to visitors.

Beyond encryption, an SSL certificate establishes trust. A certificate authority (CA) verifies the certificate applicant's control over the domain (and in some cases, the organization's identity) before issuing the certificate. When a browser encounters the certificate, it checks the CA's signature against its built-in list of trusted authorities. If the signature is valid and the certificate has not expired, the browser establishes a secure connection without warning the user. If anything is wrong, expired certificate, mismatched domain, untrusted CA, the browser displays a prominent warning that drives most visitors away.

SSL encryption uses a combination of asymmetric and symmetric cryptography to secure data in transit. The process begins with a handshake: when a browser connects to an HTTPS site, the server presents its SSL certificate, which contains the server's public key. The browser verifies the certificate's validity and then generates a unique session key, encrypts it with the server's public key, and sends it back. Only the server's matching private key can decrypt this message, ensuring that no eavesdropper can intercept the session key.

Once both parties have the session key, they switch to symmetric encryption for the remainder of the connection. Symmetric encryption is orders of magnitude faster than asymmetric encryption, making it practical for encrypting the large volumes of data exchanged during a typical web session. Every piece of data . HTML pages, images, form submissions, API responses — is encrypted before transmission and decrypted upon receipt. Even if an attacker intercepts the traffic, they see only encrypted gibberish without the session key.

TLS 1.3, the latest version of the protocol, streamlined the handshake process to require only one round trip between browser and server, down from two in TLS 1.2. This reduced the latency overhead of establishing a secure connection by approximately 30 to 50 milliseconds. TLS 1.3 also eliminated older, weaker cipher suites that were still permitted in TLS 1.2, removing entire categories of cryptographic attacks. At GRADAX, all of our hosting environments default to TLS 1.3 with a fallback to TLS 1.2 for the small percentage of clients whose visitors use older browsers that do not yet support the latest standard.

Domain Validation (DV) certificates are the most basic type. The certificate authority verifies only that the applicant controls the domain name, typically through a DNS record or email challenge. DV certificates are issued within minutes, cost nothing to a few dollars per year, and provide the same level of encryption as more expensive certificate types. They are appropriate for blogs, marketing websites, portfolios, and any site where the primary goal is encrypting the connection rather than proving organizational identity.

Organization Validation (OV) certificates require the CA to verify the legal existence and identity of the organization requesting the certificate. The applicant must provide business registration documents, and the CA may contact the organization by phone to confirm the request. OV certificates typically take one to three business days to issue and cost between 50 and 200 euros per year. When a visitor clicks the padlock icon on an OV-secured site, the certificate details display the verified organization name, providing an additional layer of trust. OV certificates are recommended for business websites, e-commerce stores, and any site that handles sensitive customer information.

Extended Validation (EV) certificates involve the most rigorous verification process. The CA checks the organization's legal, physical, and operational existence through multiple independent sources. EV certificates take five to ten business days to issue and cost 200 to 1,000 euros per year. Historically, EV certificates triggered a green address bar in browsers, but most modern browsers have discontinued this visual distinction. Today, the practical benefit of EV over OV is limited for most businesses, and we generally recommend OV certificates as the best balance of trust and cost unless regulatory requirements mandate EV.

Let's Encrypt revolutionized the SSL landscape by offering free DV certificates with automated issuance and renewal. There is no catch: Let's Encrypt certificates provide the same encryption strength as paid DV certificates and are trusted by all major browsers. They are valid for 90 days and are designed to be renewed automatically using the ACME protocol. For the majority of websites, a Let's Encrypt certificate is perfectly adequate and there is no security-related reason to pay for a DV certificate.

Paid certificates offer advantages in specific scenarios. Wildcard certificates that cover all subdomains of a domain (e.g., *.example.com) are available from Let's Encrypt, but multi-domain (SAN) certificates that cover multiple unrelated domains are more flexible from commercial CAs. Paid certificates also come with warranty coverage, if the CA incorrectly issues a certificate and a user suffers financial loss as a result, the warranty provides compensation. Warranties range from 10,000 to over 1 million euros depending on the certificate type and provider.

The most practical reason to choose a paid certificate is when you need OV or EV validation, which Let's Encrypt does not offer. If your business handles financial transactions, processes healthcare data, or operates in a regulated industry, an OV certificate provides organizational verification that a DV certificate cannot. Our SSL certificate management service at GRADAX handles both free and paid certificates, automatically provisioning the appropriate type based on the client's requirements and ensuring that renewals happen automatically before expiration.

Google has used HTTPS as a ranking signal since 2014, and its importance has grown steadily. While SSL alone will not catapult a site to the top of search results, the absence of SSL can hold it back. Google's own data indicates that over 95% of first-page results use HTTPS. Sites without SSL are increasingly penalized not through an explicit ranking demotion but through browser warnings that increase bounce rates, which indirectly harms search rankings.

The impact extends beyond Google's algorithm. Chrome, Firefox, Safari, and Edge all display warning messages when users submit forms on HTTP pages, and Chrome marks all HTTP sites as "Not Secure" in the address bar. These warnings erode user trust and increase bounce rates, particularly on pages that request any form of user input. For technical SEO purposes, HTTPS is a baseline requirement, not an optimization. Any SEO audit that identifies HTTP pages should treat them as critical issues requiring immediate resolution.

Migration from HTTP to HTTPS requires careful planning to preserve existing search rankings. All HTTP URLs must redirect to their HTTPS equivalents using 301 permanent redirects. Internal links, canonical tags, sitemap entries, and structured data must be updated to reference HTTPS URLs. The Google Search Console property must be reconfigured for the HTTPS version of the site. Failure to handle any of these steps can result in temporary ranking drops, duplicate content issues, or loss of accumulated link equity. We handle HTTP-to-HTTPS migrations routinely for our clients and have a documented process that preserves search performance throughout the transition.

Consumer awareness of online security has increased dramatically in recent years. A 2025 survey by a major e-commerce platform found that 84% of online shoppers would abandon a purchase if they noticed the site lacked a secure connection. The padlock icon has become a visual shorthand for safety, and its absence raises immediate suspicion. For businesses that depend on online transactions, conversions, or lead generation, SSL is not a technical nicety, it is a revenue requirement.

Trust extends beyond the initial page load. SSL protects every interaction throughout the customer journey: browsing product pages, adding items to a cart, entering shipping addresses, submitting payment details, and accessing account settings. Without SSL, any of these interactions could be intercepted by an attacker on the same network, a particularly acute risk on public Wi-Fi networks in cafes, airports, and hotels. By encrypting the entire session, SSL ensures that customer data remains private regardless of the network environment.

For B2B companies, SSL is often a procurement requirement. Enterprise buyers conducting vendor assessments routinely check for HTTPS and may disqualify vendors whose websites do not meet basic website security standards. Government and healthcare organizations are subject to regulations that mandate encrypted data transmission, making SSL a legal compliance requirement rather than a discretionary investment. Even if your current customers do not explicitly require SSL, the next contract you pursue might.

Installing an SSL certificate involves three steps: generating a Certificate Signing Request (CSR) on your server, submitting it to a certificate authority, and installing the issued certificate along with the CA's intermediate chain certificates. On most modern web servers (Nginx, Apache, Caddy), the configuration requires specifying the certificate file path, private key path, and any intermediate certificates. Misconfiguring the certificate chain is the most common installation error and results in browsers warning that the connection is not fully secure.

Automated certificate management has eliminated most of the manual burden. Certbot, the official Let's Encrypt client, handles CSR generation, domain validation, certificate installation, and renewal in a single command. For servers running behind reverse proxies or load balancers, the ACME DNS-01 challenge method allows certificate issuance without any changes to web server configuration. At GRADAX, our hosting platform manages SSL certificates entirely automatically, clients never need to generate CSRs, configure web servers, or worry about renewal deadlines.

Certificate renewal is the step most likely to be neglected on manually managed servers. DV certificates from Let's Encrypt expire every 90 days; paid certificates typically expire annually. An expired certificate triggers an immediate, full-screen browser warning that blocks most visitors from accessing the site. We have seen businesses lose thousands of euros in revenue from a single day of expired SSL. Automated renewal, configured to trigger at least 30 days before expiration, eliminates this risk entirely. If you are managing certificates manually, set calendar reminders at 60, 30, and 7 days before expiration and verify that your renewal process works before the deadline arrives.

Mixed content is the most prevalent SSL mistake. It occurs when an HTTPS page loads resources (images, scripts, stylesheets, fonts) over HTTP. Browsers block some mixed content and warn about the rest, breaking page functionality and undermining the security of the encrypted connection. Fixing mixed content requires updating every resource URL in the HTML, CSS, and JavaScript to use HTTPS or protocol-relative URLs. A content security policy (CSP) header with an upgrade-insecure-requests directive can handle edge cases automatically.

Incomplete certificate chains cause trust warnings even when the primary certificate is valid. Every SSL certificate is signed by an intermediate CA certificate, which in turn is signed by a root CA certificate that browsers trust implicitly. If the intermediate certificate is missing from the server's configuration, some browsers can fill in the gap by fetching it automatically, but others cannot, resulting in inconsistent warnings across different browsers and devices. Always install the full certificate chain, and use an SSL testing tool to verify correct configuration after installation.

Failing to redirect HTTP to HTTPS is a common oversight that leaves the site accessible over both protocols. Without a redirect, some visitors arrive via HTTP links, bookmarks, or direct URL entry and never benefit from SSL encryption. Search engines may index both HTTP and HTTPS versions, creating duplicate content issues. The fix is a server-level 301 redirect from HTTP to HTTPS for all URLs, combined with an HSTS (HTTP Strict Transport Security) header that instructs browsers to always use HTTPS for future visits. HSTS preloading takes this further by registering your domain in browsers' built-in HTTPS-only list, ensuring that even the first visit uses HTTPS. Get in touch with our team if you need help auditing your SSL configuration or migrating to HTTPS.