Shopify provides SSL certificates to your store after your custom domain has been properly added. To improve security, SSL certificates encrypt your store's content and publish it securely using HTTPS instead of HTTP.
For example, if your store's URL is
http://www.example.com, it will be updated to
https://www.example.com after Shopify issues SSL certificates. Customers who use the original URL will be redirected to the encrypted online store.
When you add your custom domain, a new SSL certificate is automatically created. This process can take up to 48 hours. During that time, you might see an error that reads SSL Unavailable in your Shopify admin and you might see a security error in your browser when you visit your online store. Learn more about the SSL Unavailable error and steps you can follow to troubleshoot it.
Having SSL certificates on your online store lets you:
- add a new layer of security to your online store by using HTTPS instead of HTTP
- build customer trust by displaying the SSL padlock icon beside your online store's URL:
If your online store displays content (including images, videos, or webfonts) that's hosted somewhere other than Shopify, then you can verify it on the Domains settings page in your Shopify admin to make sure it doesn't invalidate your SSL certificate.
Best practices for SSL content
You can take the following actions to make sure your store's online content stays secure:
- Host all of your online store's content on Shopify or a server that publishes over HTTPS (learn about uploading files to your Shopify admin).
- Host your video content on a service that publishes over HTTPS.
- When using webfonts, make sure they're published over HTTPS from their source.
- Don't use CAA (Certification Authority Authorization) records. If CAA records are required, the following Certificate Authorities must be added to each CAA record:
HTTP Strict Transport Security (HSTS) is a mechanism that forces browsers to access a website with an HTTPS connection only. Using a secure connection in this way prevents certain kinds of network attacks, which helps ensure the safety of your information and your customers' information.
An HSTS policy can be set on a domain for a fixed length of time. Shopify's default length is 90 days.
If you remove a domain or leave Shopify entirely, then this policy will remain in effect on the domain for a further three months, but you won't need to take any additional steps as long as you move the domain to another platform that uses HTTPS.
If you move the domain to a platform that doesn't use HTTPS, then for the next three months after removing the domain from Shopify, anyone attempting to access the site will see an error message in their browser that says the site is not trusted or the certificate is not valid.
If you have additional questions, then contact Shopify Support.
Updating domain sitemap
You can manually update your domain's sitemap and notify search engines immediately when your storefront URLs change from HTTP to HTTPS.
Activating SSL certificates for your domain can temporarily affect your website's organic traffic. If you're using webmaster tools to manage your website (like Google Search Console account), then you can manually update your domain's sitemap and notify search engines immediately when your storefront URLs change from
This process is different depending on the webmaster tools that you use.
Google Search Console
- Log in to your Google Search Console account.
- From the Search Console, enter your domain (including the prefix
HTTPS://), and then click ADD PROPERTY.
- Click the name of the domain that's been encrypted using SSL.
- Click Crawl, and then click Sitemaps.
- Click ADD/TEST SITEMAP.
- Enter your domain's new
HTTPSsitemap (for example:
- Remove your domain's
HTTPsitemap from its profile.