Getting Started with SSL Certificates
Table of Contents
- How SSL certificates work
- DNSimple certificate products
- Choose your certificate
- Before you order
- Order the certificate
- Validate the certificate
- Install the certificate
- Manage your certificates
- Troubleshooting
- FAQ and reference
- Have more questions?
An SSL certificate enables HTTPS on your site, encrypting the connection between a browser and your server to protect sensitive data like passwords and payment details. DNSimple provides domain-validated certificates from two certificate authorities — Sectigo and Let’s Encrypt — that you can order, validate, and install from your account dashboard. This page covers the full process and links to detailed guides at every step.
How SSL certificates work
When someone visits your site over HTTPS, the browser verifies the SSL certificate, negotiates an encrypted connection, and displays the padlock icon. The protocol used is technically TLS (Transport Layer Security), though the industry still refers to it as SSL. For a closer look at the encryption process, see How HTTPS Works.
Every certificate goes through a lifecycle: you order it, a certificate authority (CA) validates your domain ownership, the CA issues the certificate, you install it on your server, and eventually it expires and needs replacement. The SSL Certificate Lifecycle article explains each stage in detail.
Key concepts you may encounter along the way:
- Certificate Authority (CA) — the trusted organization that issues your certificate
- Certificate chain — the chain of trust from your certificate through intermediate certificates to the root certificate
- CSR (Certificate Signing Request) — the encoded request sent to the CA when you apply for a certificate
- Private key — the secret key that pairs with your certificate to enable encryption
- SAN (Subject Alternative Name) — an extension that allows one certificate to cover multiple hostnames
For a comprehensive list of SSL terminology, see the SSL Certificate Glossary.
DNSimple certificate products
DNSimple offers four certificate products, all domain-validated. No organization validation or extended validation is required.
| Product | CA | Covers | Cost | Validity |
|---|---|---|---|---|
| Sectigo Single-Name | Sectigo | One hostname (+ root for www) | $20/year | 200 days |
| Sectigo Wildcard | Sectigo | All single-level subdomains + root | $100/year | 200 days |
| Let’s Encrypt SAN | Let’s Encrypt | Multiple specified hostnames | Free | 90 days |
| Let’s Encrypt Wildcard | Let’s Encrypt | All single-level subdomains | Free | 90 days |
For a detailed feature comparison including validation methods, CSR support, and plan requirements, see Sectigo vs Let’s Encrypt SSL Certificates. For full technical specifications of each product, see SSL Certificate Product Specifications.
Both CAs are globally recognized. For details on each authority, including root certificates and trust store information, see SSL Certificate Authorities Used by DNSimple.
Note
Starting March 15, 2026, Sectigo certificates are valid for a maximum of 200 days due to CA/Browser Forum requirements. See SSL Certificate Validity Changes (2026-2029) for the full timeline.
Choose your certificate
Choose the certificate type
Your choice depends on what you need to secure and how you want to manage the certificate:
-
One hostname (e.g.,
www.example.com) — Sectigo Single-Name or Let’s Encrypt SAN -
All subdomains (e.g.,
*.example.com) — Sectigo Wildcard or Let’s Encrypt Wildcard - Multiple specific hostnames on the same domain — Let’s Encrypt SAN (on supported plans)
If your domain resolves with DNSimple, both Sectigo and Let’s Encrypt certificates are available. If your domain resolves elsewhere, only Sectigo certificates can be ordered. You do not need to transfer or host your domain with DNSimple to purchase a Sectigo certificate.
For help deciding between the two CAs, see Sectigo vs Let’s Encrypt — Which is right for me?. For a broader look at certificate categories (single-name, wildcard, multi-domain, and validation levels), see SSL Certificate Types.
Choose the certificate names
The names on your certificate determine which hostnames it secures. Before ordering, decide which hostnames you need covered — including whether you need the root domain, a specific subdomain, or both. Read Choosing the SSL Certificate Names for guidance on how root domains and www subdomains work with different certificate types.
Before you order
Before starting the order process:
- Verify server access. Confirm you have access to your web server configuration or hosting panel to install a custom certificate.
- Check CSR requirements. Most users do not need a custom CSR — DNSimple generates one automatically. If your web server requires a specific CSR, generate it before starting the order. See What is the CSR? for details.
- Understand private key handling. When DNSimple generates the CSR, it also generates and stores the private key. Our private key policy explains how keys are created and stored. If you provide a custom CSR, you are responsible for storing the private key securely.
Warning
If you provide a custom CSR, store the private key safely. Without it, the certificate cannot be used. Custom CSRs are not supported for Let’s Encrypt certificates.
Order the certificate
The ordering process varies by certificate type:
- Ordering a Sectigo Single-Name certificate
- Ordering a Sectigo Wildcard certificate
- Ordering a Let’s Encrypt certificate
If you have an expiring certificate that was previously purchased through DNSimple, you can renew it instead of placing a new order. DNSimple will carry over your previous settings.
Validate the certificate
After placing an order, the certificate authority must verify you control the domain before issuing the certificate.
Let’s Encrypt validation
Let’s Encrypt validates automatically using DNS-based challenges, provided your domain resolves with DNSimple. No manual action is required. If the certificate is not issued within 20 minutes of ordering, contact support to investigate. For common causes of Let’s Encrypt failures, see Troubleshooting Let’s Encrypt Certificate Failures.
Sectigo validation
Sectigo uses email-based domain validation. During the order process, you select an approval email address. Sectigo sends a verification email to that address, and you click the link to approve the certificate.
The approval email must be sent to a working mailbox at the domain. Check your spam or junk folder if the email does not arrive. For details on choosing or changing the validation email, see Selecting a different validation email. If the email does not arrive at all, see Troubleshooting Email Validation for SSL Certificates.
Note
It may take some time to issue a certificate after validation is complete. If it takes longer than expected, see Troubleshooting SSL Certificate Issuance Delays or contact support.
Install the certificate
Once the certificate is issued, download it from the certificate page in your DNSimple account. You will find the certificate file, the private key (if DNSimple generated the CSR), and the intermediate certificate chain.
Follow the general installation instructions, or use one of our platform-specific guides:
If the browser reports certificate errors after installation, see Troubleshooting SSL Certificate Errors. For issues with missing or incorrectly ordered intermediate certificates, see Troubleshooting SSL Certificate Chain Errors.
Manage your certificates
Renewals
SSL certificates expire. When a certificate nears expiration, DNSimple sends expiration notifications to alert you. You will need to order a replacement and install it on your server.
- How does SSL certificate renewal work? — why “renewal” is technically a new certificate
- Renewing an SSL certificate — general renewal steps
- Renewing a Sectigo certificate
- Renewing a Let’s Encrypt certificate
Tip
For Let’s Encrypt certificates, enable auto-renewal so your certificate is automatically renewed before it expires. You’ll still need to install the renewed certificate on your server.
Reissuing a certificate
If you need to replace the private key or CSR on an existing Sectigo certificate, you can reissue it without purchasing a new one.
Certificate validity changes
Maximum certificate validity periods are decreasing due to CA/Browser Forum requirements. See SSL Certificate Validity Changes (2026-2029) for the current and upcoming limits, and how they affect your renewal schedule.
Troubleshooting
- Troubleshooting SSL Certificate Errors — browser warnings, domain mismatches, mixed content, expired certificates
- Troubleshooting SSL Certificate Issuance Delays — pending validation, CAA record blocks, extended CA review
- Troubleshooting Email Validation for SSL Certificates — wrong email address, spam filters, missing mailboxes, MX record issues
- Troubleshooting Let’s Encrypt Certificate Failures — DNS delegation, secondary DNS conflicts, CAA blocks, DNSSEC issues
- Troubleshooting SSL Certificate Chain Errors — missing intermediate certificates, wrong chain order
- Troubleshooting Heroku SSL errors
FAQ and reference
- SSL Certificates Frequently Asked Questions
- SSL Certificate Glossary — definitions of 30 common SSL terms
- SSL Certificate Product Specifications — side-by-side comparison of all DNSimple certificate products
- SSL Certificate Authorities Used by DNSimple
- Do you support ECC certificates?
- Do you support EV certificates?
- Do you support multi-year certificates?
- Can I upgrade a single-name certificate to wildcard?
- I got an ECC-signed certificate but want RSA
- SHA-2 SSL certificates
Have more questions?
If you have any questions about SSL certificates, contact support, and we’ll be happy to help.