Your website has a padlock in the browser bar. But do you know when it expires? What type of certificate it is? Whether it covers your subdomains? Most people don't look until something breaks. Here's what you need to know.
SSL (Secure Sockets Layer) — more accurately TLS (Transport Layer Security) in modern usage — does two things:
Without HTTPS, browsers mark your site as "Not Secure", Google deprioritises it in search results, and modern browsers block mixed-content loading.
DV — Domain Validated is the most common type. The Certificate Authority (CA) verifies you control the domain (via a DNS record or a file on your server) and issues the cert, typically in minutes. This is what Let's Encrypt issues. It proves the domain is genuine, but not who owns it.
OV — Organisation Validated requires the CA to verify your organisation's legal existence and that you're authorised to request a cert for the domain. Takes days. Useful for business sites where trust matters, as the cert contains your organisation name.
EV — Extended Validation involves the most rigorous identity checks. Some browsers used to show a green bar with the organisation name, though this display was removed in most modern browsers. EV certs are still considered the highest-assurance option but are less commonly used than they were.
💡 For most websites, a DV certificate from Let's Encrypt is completely sufficient. OV/EV add identity assurance but the encryption strength is identical.
A wildcard certificate (e.g. *.yourdomain.com) covers all immediate subdomains — mail.yourdomain.com, www.yourdomain.com, app.yourdomain.com, etc. It does not cover the root domain yourdomain.com itself (you need to add that separately) and doesn't cover sub-subdomains like dev.app.yourdomain.com.
A multi-domain (SAN) certificate explicitly lists every domain and subdomain it covers in the Subject Alternative Names field. Use Fred's SSL checker to see the full SAN list for any certificate.
SSL grading tools (like Qualys SSL Labs, and Fred) evaluate a certificate across several dimensions:
Before Let's Encrypt launched in 2016, every SSL certificate cost money — anywhere from $10/year for a basic DV cert to hundreds for EV. Let's Encrypt changed everything by issuing free, automated DV certificates via the ACME protocol.
The trade-off: Let's Encrypt certs expire after 90 days instead of 1–2 years. This is intentional — it forces automation. If you set up auto-renewal correctly, you never think about it again. If you don't, you'll be fixing a broken padlock every three months.
If you're running Plesk, SSL certificate auto-renewal for Let's Encrypt is built in. Go to Websites & Domains → SSL/TLS Certificates → Let's Encrypt and ensure "Keep websites secured" is enabled. Plesk will renew automatically 30 days before expiry.
For a bare server with Certbot:
certbot renew --dry-runThis tests that auto-renewal will work. Certbot installs a cron job or systemd timer to run certbot renew twice daily, and only renews if the cert has less than 30 days remaining.
Run Fred's SSL checker on your domain and verify: