Enabling secure connections to your Shopify store
Enabling secure connections to your Shopify store ensures that the data that your customers enter remains private and secure. This is achieved using a TLS (Transport Layer Security) certificate, sometimes referred to as an SSL (Secure Sockets Layer) certificate, that encrypts communication between your store and external content, and publishes the content securely using HTTPS instead of HTTP.
For example, if your store's URL is http://www.example.com
, then the URL is changed to https://www.example.com
when the TLS certificate is issued. If your customers use the original URL, then they're redirected automatically to the encrypted online store.
TLS certificates have the following benefits for your online store:
- They add a layer of security by encrypting customer data.
- They help to build your customers' trust by displaying a padlock icon beside your online store's URL.
On this page
Acquiring a TLS certificate
TLS certificates are provided for free for all domains that are added to Shopify. A TLS certificate is issued automatically in the following circumstances:
- For any assets that are hosted on the
.myshopify.com
domain. - When you buy a custom domain through Shopify or transfer a domain to Shopify.
- When you connect your third-party domain to Shopify by changing your A record and CNAME record to point to Shopify. In this case, it might take up to 48 hours for the TLS certificate to be issued. During that time, a TLS or SSL pending might be displayed in your Shopify admin domain settings. After 48 hours, if your TLS has failed, you might have a TLS or SSL unavailable message displayed in your Shopify admin domain settings. If you have an error message similar to
Your connection is unsecure
on your storefront after 48 hours, then try the troubleshooting steps. If those steps aren't resolving the TLS issues, then contact Shopify Support.
You can make sure that your TLS certificate has been issued by verifying that the status of the domain is Connected
on the Domains page. In addition, the padlock icon is displayed beside your online store's URL in the address bar when you view your storefront.
Verifying that your assets are secure
If your online store includes images, videos, webfonts, or other assets that are hosted somewhere other than on Shopify, then they should be delivered over HTTPS. Any page in your Shopify online store that includes an asset that isn't delivered over HTTPS is considered to be insecure.
The best option to ensure that your assets are secure is to host all your online store's assets on Shopify.
If you need to host your assets outside of Shopify, then make sure that you do the following:
- Host your assets on a server that publishes over HTTPS. Learn more about uploading files to your Shopify admin.
- Host your video content on a service that publishes over HTTPS.
- When you use webfonts, verify that they're published over HTTPS from their source.
Certification Authority Authorization (CAA) records
A Certification Authority Authorization (CAA) record is used to specify which certificate authorities are allowed to issue certificates for a domain. A certificate authority (CA) is a trusted entity that issues electronic documents that verify a digital entity's identity on the Internet.
You don't need CAA records for your store. However, if you're required to use CAA records, then the following certificate authorities (CA) must be added to each CAA record at the same time that you connect your domain to Shopify:
Troubleshooting security errors for your third-party domain
After you connect your third-party domain to Shopify, your customers can't access your online store.
Symptom
The following errors occur:
- A TLS or SSL unavailable error or
SSL pending
is displayed in your Shopify admin. - A message similar to
Your connection is unsecure
is displayed on your storefront.
Cause
It can take up to 48 hours for the TLS certificate to be issued after you connect your third-party domain to Shopify. During that time, a TLS or SSL unavailable error or SSL pending
might be displayed in your Shopify admin. If the error persists after 48 hours, then the settings on your domain provider's site might not be configured correctly.
Resolution
If the TLS or SSL unavailable error is still displayed after 48 hours, then complete the following steps:
- Verify that your A record is
23.227.38.65
, your AAAA record is2620:0127:f00f:5::
and your CNAME record isshops.myshopify.com
. - If you use CAA records, then verify that you have added all the required certification authorities.
- If you have DNSSEC activated for your domain, then deactivate it.
- If you're using Android 7.0 and lower, then you need to upgrade your device.
- If you're using a version of your browser from before 2010, then update your browser to the latest version.
If you need further assistance, then contact Shopify Support.