In This Guide


How to Install an SSL Certificate

With an SSL certificate, your website can leverage the HTTPS protocol to securely transfer information between point A and B. This is crucial when transferring sensitive information, like credit card data on checkout pages and Personally Identifiable Information (PII) on login and contact forms.

In addition to security benefits, websites using SSL get better rankings on Google and improved performance through the use of HTTP/2. It’s also important to understand that SSL does not protect your website. This guide is designed to show beginners and intermediate users how to deploy a free SSL certificate from Let’s Encrypt on their self-hosted websites.

Protect your Site
Step 1
Gather Requirements

It is now easier than ever to use HTTPS on your website. Beginners should start by having a conversation with their hosting company about what options they offer.

There are a few easy ways to add SSL to your website:

  1. Some hosts offer free SSL, including one-click SSL options (i.e. SiteGround, WPEngine).
  2. Many hosts offer paid SSL and will implement the certificates for you (i.e. GoDaddy).
  3. Intermediate users can generate their own free SSL certificate (i.e. Certbot / Let’s Encrypt).

Regardless of the type of certificate you choose, the encryption and level of security is the same.

http vs https infographic insecure encrypted connection

Get Help

Want to have an SSL certificate and website security? We’ve got you covered.

Help Me

1.1 – Types of SSL Certificates

Some visitors recognize the additional authenticity and trust offered Extended Validation (EV) and Organization Validated (OV) certificates due to their rigorous validation process.

There are three types of certificates to be familiar with:

  • Domain Validated (DV)

    DV certificates only need the Certificate Authority to verify that the user requesting the certificate owns and administers the domain. Visitors will see a lock icon in their address bar, but no specific information about the owner.

  • Organization Validated (OV)

    OV certificates require a Certificate Authority to confirm the business making the request is registered and legitimate. When visitors click the green lock icon in their browser, the business name is listed.

  • Extended Validation (EV)

    EV certificates require even more documentation for the Certificate Authority to validate the organization. Visitors will see the name of the business inside the address bar (in addition to clicking the lock icon).

1.2 – Commercial vs. Free SSL Certificates

It’s important you assess your preference when it comes to commercial or free certificates.

  • Commercial (paid) SSL certificates

    These are a decent option for many website owners. Paying a Certificate Authority (or your hosting company) will often give you the benefits of technical support. The encryption level is the same as with free SSL certificates. The key differentiator will come in the level of support you get with your certificate.

  • Free SSL certificates

    These are being spearheaded by the Let’s Encrypt initiative – an open collaboration between a number of global organizations focused on making SSL certificates accessible to all website owners.


Many hosts offer specific instructions on how to deploy free SSL certificates. Check with your host’s support channels and articles for more information before following this guide.

1.3 – SSL in the Cloud

You can also get the benefits of SSL certificates through cloud providers, such as Content Delivery Networks (CDNs) and Website Application Firewalls (WAFs) solutions like Sucuri, who offer it at no additional charge.

These services are a proxy between the visitor and your website. By changing your domain records to point to their servers, they can cache your content to make your website faster and filter out malicious traffic. This also means that the browser recognizes which server IPs are connected to your domain, allowing for the use of DV certificates.

These providers can also work with your own SSL certificate. If you are a Sucuri customer, you can contact our technical support team for information and assistance.


If you are implementing an SSL certificate through your host, you may want to skip ahead to Step 3: Important Final Steps.

1.4 – What You Need to Get a Free SSL Certificate

The following guide works best if you have a dedicated IP for your site (through a VPS or dedicated server). If you’re on a shared host, talk to your host about deploying Let’s Encrypt; a number of hosts have automated the process of deploying a Free SSL for shared hosting accounts. It is possible to use Server Name Indication (SNI) with one server IP address and generate certificates for all sites on the server.

The rest of this guide will assume you have full access and control of your web server.

You will need the following information about your server:

  • IP address
  • Server username (with admin or sudo privileges)
  • User password (or preferably SSH key authentication)
  • Software (i.e. Apache, nginx, IIS)
  • Operating system and version number (i.e. Debian 7, Ubuntu 16.04, etc.)

SSH Access Through cPanel

ssh access through cpanel screenshot example

You can contact your host to obtain any missing information.

Back to Top
Step 2
Generate Certificate

Now that you have all the required information, you can connect to your server and install a tool that will generate an SSL certificate.

From your computer, you need a way to log into your server and send SSH commands. If you are on a Mac, you can use Terminal (built-in application) and Windows can download PuTTY. Some hosts also offer a web interface for running commands on your server.


The instructions will vary depending on your server software and system. Some systems do not support Certbot, but you can find a list of other reputable clients that should work with your server environment.

2.1 – Overview of Steps

Here is a quick overview of how you can get a free SSL certificate from Let’s Encrypt using the Certbot tool.

Overview of steps to use Certbot:

  1. Connect to your server over SSH using the IP address, username, and password.
  2. Visit the Certbot website and choose your server operating system and software.
  3. Follow the instructions given for your server to do the next steps.
  4. Run any commands listed to Install dependencies.
  5. Run the commands listed to Install Certbot.
  6. Run the commands listed to Get Started and generate the certificate.
  7. Provide an email address when prompted.
  8. Agree to the Terms when prompted.
  9. Run the commands listed to test renewals under Automating Renewal.
  10. Set up a cron or systemd job on your server to automate the renewal process

The following images and animations illustrate the entire process for a server using Apache on Ubuntu 16.04.

Sucuri Customers

Manually removing “malicious” code from your website files can be extremely hazardous to the health of your website. Never perform any actions without a backup. If you’re unsure, please seek assistance from a professional.

2.2 – Install Certbot Client

Using the instructions provided for your server, install any dependencies and the Certbot tool. The following images are an example of what you can expect.

Get Instructions for Your Server from the Certbot Website

get instructions for your server from the cerbot website screenshot example

Connect to Your Server Over SSH (GIF)

connect to your server over ssh gif example

Install Dependencies (if required) (GIF)

install dependencies required gif example

Install Certbot (GIF)

install certbot gif example


If you are getting permission errors, check with your host to ensure your user has permissions to run administrative commands (i.e. sudo).

2.3 – Generate SSL Certificate

Continuing with the same set of instructions, the Get Started section will provide the commands needed to create the SSL certificate for your website. The following images are an example of what you can expect.

Run Certbot (GIF)

run certbot gif example

Agree to the Terms

agree to the terms image example cerbot

Make a Secure Backup

After generating the certificate, you’ll want to note the Important Notes shows the location of your Certbot configuration directory. This contains your account credentials, certificate, and private keys.

You should navigate to this location on your server and download a backup. If you aren’t sure how to do this, you can follow our post on how to make backups over the command line.

2.4 – Automate Renewal

Now you have an active SSL certificate on your site! Your certificate will expire, however. Let’s Encrypt certificates are only valid for 90 days. You can automate this process so you don’t have to remember to manually renew the certificate.

It’s recommended to set the cron or systemd job to renew the certificate twice a day. Before you begin, note the location of your Certbot configuration directory from the previous step.

Set Up SSL Certificate Renewal via Cron Job

set up ssl certificate renewal via cron job example

To schedule the cron job that renews the SSL certificate:

  1. Connect to your server.
  2. Run the command crontab -e
  3. If prompted, choose a text editor (i.e. nano)
  4. Enter the following command, taking care to replace the location with the one provided when you generated the certificate:

  5. 52 0,12 * * * root /var/log/letsencrypt/certbot-auto renew --quiet
  6. Open your website to verify it is operational


Some server configurations may need to run additional commands to load the new certs.

You can view the full documentation on Certbot renewals for more information.

These charitable organizations are working to help make the internet a safer place for everyone. While these tools are free, you can donate to help support both Let’s Encrypt and Certbot.

Step 3
Final Steps

While HTTPS is now an option on your site, the HTTP version of your site can still be accessed. Ideally, you should force all visitors (including search engines) to see the HTTPS version of your site. You should also take steps to fix mixed content warnings and update any proxy-based cloud services (such as firewalls and CDNs) to work with your new SSL certificate.

3.1 – Force HTTPS

To force visitors to access your site only over HTTPS, you can edit your .htaccess file. You can find this in the root of your site, and you may need to show hidden files to find it.

There are other methods for Apache, such as using your virtual host file. If you use an IIS server you can follow instructions to use the URL Rewrite Module and nginx servers can use the nginx configuration file.

Copy this directive into the .htaccess file to redirect HTTP visitors to the HTTPS version of your site:

Code Snippet – Add into .htaccess file

  1. RewriteEngine On
  2. RewriteCond %{HTTPS} off
  3. RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]


Editing the .htaccess file can cause issues with more sites with complex structures. The rewrite below works best for websites on a dedicated server or VPS running Apache.

3.2 – Check for Mixed Content Warnings

While your site is now available on HTTPS, you might still have resources linked to your website that load over HTTP. This includes things like images, videos, and external resources.

Browsers will block this content as “unsafe”, which can also cause broken functionality of your site and security warnings in browsers.

Examples of “Unsafe” Warnings:

unsafe warnings during ssl installation load scripts
unsafe warnings during ssl installation connection not secure
unsave warnings during ssl installation connection not private

You can use the same SSH access that you used to generate the certificate to run a command and find any files that reference http:// directly.

To find resources loading over HTTP, run the following command:

        grep -r "http://"

This will list all files to investigate in your server or CMS. Simply change all resource URLs from http:// to https:// or to a relative path.

You should also query your database or manually look through posts and pages for HTTP content. There are plugins and extensions available that can automate the process of rewriting URLS using HTTP to HTTPS (i.e. Really Simple SSL for WordPress).

If the HTTP resource is stored on your own website, we recommend using the relative directory and filename as follows.

Absolute Path:

<img src="">

Relative Path:

<img src="/images/pic.jpg">

Resources That Can Cause Mixed Content Warnings:

  • Web fonts
  • Iframe content
  • JavaScript includes
  • CSS stylesheets
  • Image embeds
  • Video embeds
  • Audio embeds


  • If your website loads external resources, changing links to HTTPS could break the functionality. To avoid this, make sure the resource is available over HTTPS before changing the URL in your code. You can access the URL with HTTPS in a browser to verify.
  • If you run into issues, you can attempt to download the external content and host it on your own server to ensure it loads over HTTPS. Always test in a development environment for scripts and other content that could perform differently.

3.3 – Search Engine Optimization

The last thing to prepare for is the potential negative impacts of using HTTPS.Following the steps below should help to minimize them.

Once configured, add and verify the new HTTPS site in Google Search Console. This will allow you to recrawl your site and submit a new XML sitemap with your HTTPS URLs.

For many SEO elements like “rel=canonical” and Open Graph tags, it is advisable to use an absolute URL, as these are read externally by social media sites and search engine crawlers.

It’s important to note that there will be a period of normalization after applying SSL, but in the end, it is a confirmed ranking signal according to Google.

Similarly, social sharing counters for older content will likely become invalid. This is because now there is a new URL starting with HTTPS rather than HTTP, and many tools count each as a separate URL with its own engagement metrics.

SEO & Meta Elements To Check

  • rel=canonical
  • rel=alternate
  • rel=next & rel=prev
  • hreflang
  • Open Graph tags
  • Structured Data
  • Sitemaps
  • Internal Linking

3.4 – Website Security Caveat

HTTPS is a great thing for the internet as a whole, it helps keep communication secret between users and the websites they visit. SSL secures data in transit but does not secure the website itself.

Website security is more comprehensive than HTTPS/SSL alone and should be treated as such. Think of HTTPS/SSL as one of many security controls to consider when thinking about your website’s security. Deploying HTTPS/SSL on your website does little to ensuring your visitors are safe if you do not take other actions to ensure a secure environment.

We encourage website owners to think about website security holistically and consider leveraging a Website Security Platform that offers a complete suite of security controls: protection, detection, monitoring, and incident response. If you have more questions on how platforms work or questions about this article please direct them to our team at