SSL Certificates That Never Expire – and Always Stay Correctly Configured
An expired certificate locks out customers, costs rankings and triggers browser warnings. We handle setup, automatic renewal, monitoring and mixed content remediation of your HTTPS environment – as a fixed part of SLA maintenance from €199 per month.
from €199
SLA with SSL management per month
30 days
early warning before certificate expiry
50+
certificates managed across projects (project experience)
0
expired certificates on managed systems (project experience)
HTTPS is a non-negotiable requirement today – for customer trust, search engine rankings and GDPR compliance. A missing or expired SSL certificate shows visitors a browser warning page and breaks the purchase flow. Modern browsers mark sites without HTTPS as 'not secure', which measurably increases bounce rates. Our SSL management goes far beyond simply issuing a certificate: we configure TLS correctly, check for mixed content errors, monitor expiry dates and operate your entire HTTPS environment to current security standards. This makes our SSL service a natural complement to security updates and uptime monitoring as part of a comprehensive protection package – within the SLA maintenance contract from €199 per month, SSL management is a fixed component.
What an SSL Certificate Does – and What It Does Not
An SSL/TLS certificate serves two core functions: it encrypts the data transfer between browser and server so that no third party can intercept sensitive information such as passwords, payment data or addresses. And it authenticates the server to the browser: visitors receive assurance that they are communicating with your website and not a counterfeit copy. The padlock symbol in the browser and the HTTPS prefix are the visible signs of this encryption.
What an SSL certificate alone does not provide: it does not protect against vulnerabilities in the web application itself, compromised user accounts or malware on the server. The padlock is also no proof of authenticity – 85 percent (APWG, 2023) of phishing sites now use HTTPS themselves. It is a necessary but not sufficient security measure. That is why we always recommend SSL in combination with regular security updates, active monitoring and, where needed, a backup service – as part of a layered defense.
Certificate Types and Their Use Cases
Let’s Encrypt (DV)
Domain-validated certificates, free and automatically renewable. Ideal for most online shops. We set up Let’s Encrypt with automatic 90-day renewal and actively monitor the process.
Organisation Validated (OV)
OV certificates confirm both the domain and the legal existence of the organisation. Recommended for shops with high order volumes or a B2B environment where the trust of business partners is especially important.
Extended Validation (EV)
Highest validation level with extended business identification. In certain industries and for specific target groups, a trust signal that goes beyond the standard padlock.
Wildcard Certificate
One certificate for all subdomains of a domain (*.example.com). Practical when shop, blog, API and other services run on different subdomains. Simplifies management considerably.
Multi-Domain Certificate (SAN)
Covers multiple domains and subdomains with a single certificate. Suitable for shops with multilingual domains, regional branches or multiple brands under a single administration.
Code-Signing Certificate
Not for HTTPS but for digitally signing software and downloads. Relevant for shops that offer their own apps or installation files and need to prove their authenticity to operating systems.
Our SSL Setup and Renewal Process
Setting up an SSL certificate sounds straightforward, but in practice there are numerous pitfalls: incomplete certificate chains, forgotten subdomains, HTTP redirects that do not work, or mixed content errors that remain after the HTTPS migration. Our process ensures that everything works smoothly after setup.
Inventory and Certificate Audit
We inventory all domains, subdomains and services of the shop. We check which certificates already exist, when they expire and whether the current TLS configuration meets current security recommendations. The result is a complete picture of all certificates under your management.
Automatic Renewal Before a Certificate Expires
The 90-day validity of Let’s Encrypt is not a risk but routine: we fully automate renewal and verify the certificate chain after every run. For paid certificates with annual validity we escalate to the responsible contact in good time. If an automation ever fails to complete, monitoring raises an alert 30, 14 and 7 days before expiry – long before the browser shows a warning page.
- Fully automatic renewal with chain and OCSP verification after every run
- Expiry alert 30, 14 and 7 days ahead for every certificate
- Documented renewal log with timestamp and verification result
Warning: Expired certificate = immediate shop outage
TLS Configuration: More Than Just a Certificate
The certificate is only one component of a secure HTTPS configuration. Equally important is which TLS versions and cipher suites the server accepts. Outdated protocols such as TLS 1.0 and TLS 1.1 are considered insecure and should be disabled. Certain cipher suites provide no forward secrecy, enabling previously recorded encrypted traffic to be decrypted retroactively. Our TLS hardening follows the current recommendations of the German Federal Office for Information Security (BSI) and the OWASP TLS Cheat Sheet guidelines.
TLS Version Management
Enabling TLS 1.2 and TLS 1.3, disabling outdated protocols (TLS 1.0, TLS 1.1, SSL 3.0). Regular review of new TLS version requirements from browser vendors.
Cipher Suite Configuration
Prioritising modern, secure cipher suites with Perfect Forward Secrecy (ECDHE-based). Disabling weak algorithms such as RC4, 3DES and export cipher suites.
HSTS Header
Configuring Strict-Transport-Security with a long max-age and includeSubDomains. Optionally: submission to the browser HSTS preload list for maximum enforcement of HTTPS usage.
OCSP Stapling
Setting up OCSP Stapling reduces the overhead of certificate validation and improves loading times. The server delivers the revocation status directly, without the browser needing to contact the CA.
Security Headers
Configuring supplementary HTTP security headers: Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options and Referrer-Policy. These headers protect against a range of client-side attacks.
TLS Performance Optimisation
Session resumption, TLS session tickets and HTTP/2 activation significantly improve connection setup times. A well-configured TLS environment is fast, not slow.
Mixed Content: The Most Common Error After an HTTPS Migration
Mixed content occurs when an HTTPS page loads resources (images, scripts, stylesheets) via HTTP. Browsers treat this differently: active mixed content (JavaScript, CSS, iframes) is blocked in modern browsers and causes functional issues in the shop. Passive mixed content (images, audio, video) may still be displayed, but the browser flags the page as 'not fully secure'. In both cases, user trust suffers – and so does purchasing behaviour.
Systematic Root Cause Analysis
Mixed content errors originate in various places: hardcoded resource URLs in templates, database entries with HTTP references, plugin-generated URLs or embedded third-party services. We analyse all sources systematically and prioritise remediation by impact.
- Template and theme analysis for hardcoded HTTP URLs
- Database search for HTTP references in content
- Review of plugin-specific URL generation
- Testing external embeds (maps, videos, widgets) for HTTPS compatibility
- Browser console and header analysis on the live system
| Source | Status |
|---|---|
| Templates and theme | clean |
| Database content | remediated |
| Plugin-generated URLs | clean |
| External embeds | HTTPS |
SSL Certificate Monitoring: Continuous Oversight
An SSL certificate is not a set-and-forget element but a time-limited object that requires regular attention. Let’s Encrypt certificates expire after 90 days and must be renewed in good time. Commercially issued certificates typically have a one-year validity. Both types require proactive monitoring to ensure renewal is never missed – regardless of whether automation is working correctly or a manual step is needed.
- Expiry monitoring: Alerts 30 days, 14 days and 7 days before each certificate expires
- Certificate chain check: Regular verification of a complete and correct certificate chain
- Revocation status check: Monitoring CRL and OCSP status – revoked certificates are not accepted by browsers
- TLS version scan: Quarterly review for outdated or newly classified insecure protocols
- Cipher suite audit: Detection of weak cipher suites following new BSI recommendations
- Renewal log: Documentation of every renewal with timestamp and verification result
SSL management within the maintenance contract
- Basis €199 per month – first response within 8 hours
- Business €349 per month – first response within 4 hours
- Enterprise €699 per month – first response in 45 minutes
- SSL management, updates, monitoring and backups in every package
SSL monitoring, automatic renewal and mixed content checks are included in every SLA tier – with no separate commissioning. Minimum term 6 months.
Platform-Specific Considerations
Each platform has its own requirements for SSL/TLS configuration. Shopware maintenance and WordPress maintenance differ in their specific HTTPS environment requirements. With Shopware, the storefront configuration, proxy settings and CDN integration are particularly important. With WordPress, it is often older embedded images, plugin-generated HTTP links and the site URL configuration that cause mixed content issues.
Shopware
Secure configuration of sales channel URLs, proxy headers for load-balancer setups, CDN integration with SSL passthrough and correct storefront HTTPS enforcement.
WordPress
Updating WordPress and site URL to HTTPS, configuring SSL enforcement in wp-config.php, mixed content remediation in the database and plugin compatibility checks.
TYPO3 and Other CMS
HTTPS configuration in the site configuration, remediation of hardcoded resource URLs in templates and extensions, and review of caching layers for correct HTTPS handling.
Manage SSL Yourself or Have It Maintained
| Aspect | In-house | In the managed service |
|---|---|---|
| Renewal | Manual, easily forgotten | Automated with chain verification |
| Expiry warning | Often only the browser block page | Alerts 30, 14 and 7 days ahead |
| TLS configuration | Host default, rarely hardened | Hardened to BSI and OWASP guidance |
| Mixed content | Noticed only via customer complaints | Systematic scan after every change |
| Outage risk | Shop lockout on an expired certificate | Early warning removes the risk |
| Cost | Unclear, effort in an emergency | Predictable from €199 per month in the SLA |
SSL and SEO: What Search Engines Actually Evaluate
Search engines have valued an encrypted connection as a positive signal for years, and modern browsers mark all HTTP pages as 'not secure' – which increases bounce rates and indirectly affects rankings. For online shops, the additional risk is that safe-browsing warnings on insecure or compromised sites can not only damage rankings but block the shop entirely for visitors. A correctly configured HTTPS environment is therefore not an optional SEO factor but a fundamental prerequisite for stable visibility.
Also important is the canonical HTTPS redirect: when HTTP and HTTPS are both accessible, duplicate content is created, diluting rankings. We ensure that HTTP URLs are consistently redirected to HTTPS and that canonical tags, sitemap entries and internal links all point to the HTTPS version. This consistency is especially important after a fresh HTTP-to-HTTPS migration, when search engines may still have older HTTP versions indexed.
SSL as part of the SLA maintenance contract
GDPR and SSL: Data Protection Requirements
The GDPR requires in Article 32 technical measures to protect personal data during transmission. An encrypted HTTPS connection is the minimum requirement for all shops that process personal data – which in practice means every shop that accepts orders. The absence of HTTPS can be assessed as a violation during a data protection audit and lead to fines. In addition, many payment service providers require HTTPS as a technical prerequisite for using their payment interfaces.
We document the SSL configuration and renewal processes so that this documentation can serve as evidence of technical protective measures during data protection audits. We also recommend regular review of the privacy policy for compliance with current requirements – a topic covered by our GDPR update service.
Key Takeaways
- SSL management is included in the SLA maintenance contract from €199 per month – monitoring, automatic renewal and mixed content checks with no separate commissioning
- Expiry alerts 30, 14 and 7 days before each certificate – the most common cause of shop lockouts is consistently ruled out
- TLS hardening to BSI and OWASP guidance: current protocols, forward secrecy, HSTS and OCSP stapling
- For most shops, Let’s Encrypt is the right choice – free, automatically renewable, accepted by all browsers
- Systematic mixed content remediation across templates, database and embeds after every HTTPS migration