Zum Inhalt springen
Proactive security updates

SSL Certificates That Never Expire – and Always Stay Correctly Configured

An expired certificate locks out customers, costs rankings and triggers browser warnings. We handle setup, automatic renewal, monitoring and mixed content remediation of your HTTPS environment – as a fixed part of SLA maintenance from €199 per month.

SSL in the SLA from €199 per month Automatic Renewal Mixed Content Check

from €199

SLA with SSL management per month

30 days

early warning before certificate expiry

50+

certificates managed across projects (project experience)

0

expired certificates on managed systems (project experience)

HTTPS is a non-negotiable requirement today – for customer trust, search engine rankings and GDPR compliance. A missing or expired SSL certificate shows visitors a browser warning page and breaks the purchase flow. Modern browsers mark sites without HTTPS as 'not secure', which measurably increases bounce rates. Our SSL management goes far beyond simply issuing a certificate: we configure TLS correctly, check for mixed content errors, monitor expiry dates and operate your entire HTTPS environment to current security standards. This makes our SSL service a natural complement to security updates and uptime monitoring as part of a comprehensive protection package – within the SLA maintenance contract from €199 per month, SSL management is a fixed component.

SSL expiry monitoring
No certificate expires unnoticed
Every certificate is checked against fixed warning windows — renewal starts automatically 30 days ahead.
88
days remaining after auto-renewal
Domains monitored4
TLS gradeA+ · 3 of 4
Mixed content findings0 · 242 pages
SSL expiry scale · warning windows 90 / 30 / 7 days
88 d · active
cdn · 16 d
90 days30 days7 days0 days
cdn.shop.com reaches the 30-day warning windowRenewal scheduled Thu 03:00
SSL in the SLAfrom €199 per month
cdn.shop.comrenewal scheduled in 16 days
SSL control center of our managed service: certificate expiry, TLS grade and mixed content scan across all domains at a glance. Example view – values are illustrative.

What an SSL Certificate Does – and What It Does Not

An SSL/TLS certificate serves two core functions: it encrypts the data transfer between browser and server so that no third party can intercept sensitive information such as passwords, payment data or addresses. And it authenticates the server to the browser: visitors receive assurance that they are communicating with your website and not a counterfeit copy. The padlock symbol in the browser and the HTTPS prefix are the visible signs of this encryption.

What an SSL certificate alone does not provide: it does not protect against vulnerabilities in the web application itself, compromised user accounts or malware on the server. The padlock is also no proof of authenticity – 85 percent (APWG, 2023) of phishing sites now use HTTPS themselves. It is a necessary but not sufficient security measure. That is why we always recommend SSL in combination with regular security updates, active monitoring and, where needed, a backup service – as part of a layered defense.

Certificate Types and Their Use Cases

Let’s Encrypt (DV)

Domain-validated certificates, free and automatically renewable. Ideal for most online shops. We set up Let’s Encrypt with automatic 90-day renewal and actively monitor the process.

Organisation Validated (OV)

OV certificates confirm both the domain and the legal existence of the organisation. Recommended for shops with high order volumes or a B2B environment where the trust of business partners is especially important.

Extended Validation (EV)

Highest validation level with extended business identification. In certain industries and for specific target groups, a trust signal that goes beyond the standard padlock.

Wildcard Certificate

One certificate for all subdomains of a domain (*.example.com). Practical when shop, blog, API and other services run on different subdomains. Simplifies management considerably.

Multi-Domain Certificate (SAN)

Covers multiple domains and subdomains with a single certificate. Suitable for shops with multilingual domains, regional branches or multiple brands under a single administration.

Code-Signing Certificate

Not for HTTPS but for digitally signing software and downloads. Relevant for shops that offer their own apps or installation files and need to prove their authenticity to operating systems.

Our SSL Setup and Renewal Process

Setting up an SSL certificate sounds straightforward, but in practice there are numerous pitfalls: incomplete certificate chains, forgotten subdomains, HTTP redirects that do not work, or mixed content errors that remain after the HTTPS migration. Our process ensures that everything works smoothly after setup.

Automatic Renewal Before a Certificate Expires

The 90-day validity of Let’s Encrypt is not a risk but routine: we fully automate renewal and verify the certificate chain after every run. For paid certificates with annual validity we escalate to the responsible contact in good time. If an automation ever fails to complete, monitoring raises an alert 30, 14 and 7 days before expiry – long before the browser shows a warning page.

  • Fully automatic renewal with chain and OCSP verification after every run
  • Expiry alert 30, 14 and 7 days ahead for every certificate
  • Documented renewal log with timestamp and verification result
Automatic renewalAuto-renewal active
03:00
www.shop.com renewed
certificate chain verified
03:01
api.shop.com renewed
OCSP stapling active
03:02
mail.shop.com renewed
HSTS unchanged
09:15
cdn.shop.com: expiry in 16 days
renewal task created
Renewal starts 30 days before expirywith no action from you

Warning: Expired certificate = immediate shop outage

An expired SSL certificate causes all common browsers to display a full warning page that actively discourages visitors from proceeding. It is not a minor notice – it is a complete access barrier. Most users leave immediately. Without monitoring, this situation can go unnoticed for hours or days.

TLS Configuration: More Than Just a Certificate

The certificate is only one component of a secure HTTPS configuration. Equally important is which TLS versions and cipher suites the server accepts. Outdated protocols such as TLS 1.0 and TLS 1.1 are considered insecure and should be disabled. Certain cipher suites provide no forward secrecy, enabling previously recorded encrypted traffic to be decrypted retroactively. Our TLS hardening follows the current recommendations of the German Federal Office for Information Security (BSI) and the OWASP TLS Cheat Sheet guidelines.

TLS Version Management

Enabling TLS 1.2 and TLS 1.3, disabling outdated protocols (TLS 1.0, TLS 1.1, SSL 3.0). Regular review of new TLS version requirements from browser vendors.

Cipher Suite Configuration

Prioritising modern, secure cipher suites with Perfect Forward Secrecy (ECDHE-based). Disabling weak algorithms such as RC4, 3DES and export cipher suites.

HSTS Header

Configuring Strict-Transport-Security with a long max-age and includeSubDomains. Optionally: submission to the browser HSTS preload list for maximum enforcement of HTTPS usage.

OCSP Stapling

Setting up OCSP Stapling reduces the overhead of certificate validation and improves loading times. The server delivers the revocation status directly, without the browser needing to contact the CA.

Security Headers

Configuring supplementary HTTP security headers: Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options and Referrer-Policy. These headers protect against a range of client-side attacks.

TLS Performance Optimisation

Session resumption, TLS session tickets and HTTP/2 activation significantly improve connection setup times. A well-configured TLS environment is fast, not slow.

Mixed Content: The Most Common Error After an HTTPS Migration

Mixed content occurs when an HTTPS page loads resources (images, scripts, stylesheets) via HTTP. Browsers treat this differently: active mixed content (JavaScript, CSS, iframes) is blocked in modern browsers and causes functional issues in the shop. Passive mixed content (images, audio, video) may still be displayed, but the browser flags the page as 'not fully secure'. In both cases, user trust suffers – and so does purchasing behaviour.

Systematic Root Cause Analysis

Mixed content errors originate in various places: hardcoded resource URLs in templates, database entries with HTTP references, plugin-generated URLs or embedded third-party services. We analyse all sources systematically and prioritise remediation by impact.

  • Template and theme analysis for hardcoded HTTP URLs
  • Database search for HTTP references in content
  • Review of plugin-specific URL generation
  • Testing external embeds (maps, videos, widgets) for HTTPS compatibility
  • Browser console and header analysis on the live system
Pages checked242full crawl
Active mixed content03 resolved
Sources and status
SourceFindingsStatus
Templates and theme0clean
Database content3 → 0remediated
Plugin-generated URLs0clean
External embeds0HTTPS

SSL Certificate Monitoring: Continuous Oversight

An SSL certificate is not a set-and-forget element but a time-limited object that requires regular attention. Let’s Encrypt certificates expire after 90 days and must be renewed in good time. Commercially issued certificates typically have a one-year validity. Both types require proactive monitoring to ensure renewal is never missed – regardless of whether automation is working correctly or a manual step is needed.

  • Expiry monitoring: Alerts 30 days, 14 days and 7 days before each certificate expires
  • Certificate chain check: Regular verification of a complete and correct certificate chain
  • Revocation status check: Monitoring CRL and OCSP status – revoked certificates are not accepted by browsers
  • TLS version scan: Quarterly review for outdated or newly classified insecure protocols
  • Cipher suite audit: Detection of weak cipher suites following new BSI recommendations
  • Renewal log: Documentation of every renewal with timestamp and verification result

SSL management within the maintenance contract

from €199 per month net
  • Basis €199 per month – first response within 8 hours
  • Business €349 per month – first response within 4 hours
  • Enterprise €699 per month – first response in 45 minutes
  • SSL management, updates, monitoring and backups in every package

SSL monitoring, automatic renewal and mixed content checks are included in every SLA tier – with no separate commissioning. Minimum term 6 months.

Platform-Specific Considerations

Each platform has its own requirements for SSL/TLS configuration. Shopware maintenance and WordPress maintenance differ in their specific HTTPS environment requirements. With Shopware, the storefront configuration, proxy settings and CDN integration are particularly important. With WordPress, it is often older embedded images, plugin-generated HTTP links and the site URL configuration that cause mixed content issues.

Shopware

Secure configuration of sales channel URLs, proxy headers for load-balancer setups, CDN integration with SSL passthrough and correct storefront HTTPS enforcement.

WordPress

Updating WordPress and site URL to HTTPS, configuring SSL enforcement in wp-config.php, mixed content remediation in the database and plugin compatibility checks.

TYPO3 and Other CMS

HTTPS configuration in the site configuration, remediation of hardcoded resource URLs in templates and extensions, and review of caching layers for correct HTTPS handling.

Manage SSL Yourself or Have It Maintained

AspectIn-houseIn the managed service
RenewalManual, easily forgottenAutomated with chain verification
Expiry warningOften only the browser block pageAlerts 30, 14 and 7 days ahead
TLS configurationHost default, rarely hardenedHardened to BSI and OWASP guidance
Mixed contentNoticed only via customer complaintsSystematic scan after every change
Outage riskShop lockout on an expired certificateEarly warning removes the risk
CostUnclear, effort in an emergencyPredictable from €199 per month in the SLA

SSL and SEO: What Search Engines Actually Evaluate

Search engines have valued an encrypted connection as a positive signal for years, and modern browsers mark all HTTP pages as 'not secure' – which increases bounce rates and indirectly affects rankings. For online shops, the additional risk is that safe-browsing warnings on insecure or compromised sites can not only damage rankings but block the shop entirely for visitors. A correctly configured HTTPS environment is therefore not an optional SEO factor but a fundamental prerequisite for stable visibility.

Also important is the canonical HTTPS redirect: when HTTP and HTTPS are both accessible, duplicate content is created, diluting rankings. We ensure that HTTP URLs are consistently redirected to HTTPS and that canonical tags, sitemap entries and internal links all point to the HTTPS version. This consistency is especially important after a fresh HTTP-to-HTTPS migration, when search engines may still have older HTTP versions indexed.

SSL as part of the SLA maintenance contract

Our SLA maintenance contract includes continuous SSL monitoring and renewal as a fixed component. No separate commissioning, no surprises at the expiry date.

GDPR and SSL: Data Protection Requirements

The GDPR requires in Article 32 technical measures to protect personal data during transmission. An encrypted HTTPS connection is the minimum requirement for all shops that process personal data – which in practice means every shop that accepts orders. The absence of HTTPS can be assessed as a violation during a data protection audit and lead to fines. In addition, many payment service providers require HTTPS as a technical prerequisite for using their payment interfaces.

We document the SSL configuration and renewal processes so that this documentation can serve as evidence of technical protective measures during data protection audits. We also recommend regular review of the privacy policy for compliance with current requirements – a topic covered by our GDPR update service.

Key Takeaways

  • SSL management is included in the SLA maintenance contract from €199 per month – monitoring, automatic renewal and mixed content checks with no separate commissioning
  • Expiry alerts 30, 14 and 7 days before each certificate – the most common cause of shop lockouts is consistently ruled out
  • TLS hardening to BSI and OWASP guidance: current protocols, forward secrecy, HSTS and OCSP stapling
  • For most shops, Let’s Encrypt is the right choice – free, automatically renewable, accepted by all browsers
  • Systematic mixed content remediation across templates, database and embeds after every HTTPS migration

Frequently Asked Questions About SSL Certificates

By submitting you consent to the processing of your details to handle this request. Details in our privacy policy.