SSL

SSL certificates improve online security by encrypting your store's content and publishing it securely using HTTPS instead of HTTP. When you add your custom domain to your Shopify store, a new SSL certificate is created automatically.

For example, if your store's URL is http://www.example.com, then the URL is updated to https://www.example.com when the SSL certificate is issued. Customers who use the original URL are redirected automatically to the encrypted online store.

After you add your custom domain, it can take up to 48 hours for a new SSL certificate to be created. During that time, an SSL Unavailable error might be displayed in your Shopify admin. A security error might also be displayed in your browser when you visit your online store. If your store still displays a security error after more than 48 hours, then refer to the troubleshooting guide on SSL Unavailable errors.

Understanding SSL

SSL certificates have the following benefits for your online store:

  • They add a new layer of security to your online store by using HTTPS instead of HTTP.
  • They build customer trust by displaying the SSL padlock icon beside your online store's URL:

SSL Padlock icon

If your online store displays content (including images, videos, or webfonts) that's hosted somewhere other than Shopify, then you can verify it on the Domains settings page in your Shopify admin to make sure it doesn't invalidate your SSL certificate.

Best practices for SSL content

You can take the following actions to make sure your store's online content stays secure:

  • Host all of your online store's content on Shopify or a server that publishes over HTTPS. Learn more about uploading files to your Shopify admin.
  • Host your video content on a service that publishes over HTTPS.
  • When using webfonts, make sure they're published over HTTPS from their source.
  • Don't use CAA (Certification Authority Authorization) records. If CAA records are required, the following Certificate Authorities must be added to each CAA record:

HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) is a web security mechanism that ensures that browsers only connect to your online store over a secure HTTPS connection. Using a secure connection prevents certain kinds of network attacks and helps to ensure the safety of your information and your customers' information. HSTS is always active on your domain for as long as your domain is connected to your Shopify store.

If you remove a domain or leave Shopify entirely, then Shopify's HSTS policy remains in effect on your domain for an additional 90 days. If you transfer your domain to another platform that uses HTTPS, then you won't need to take any additional steps.

If you transfer your domain to a platform that doesn't use HTTPS, then for the next 90 days, an error message is displayed in the browser when anyone attempts to visit your domain. The error message might state that the site is not trusted or the certificate is not valid. Wait until the 90 day period is over, or consider transferring your domain to a platform that supports HTTPS.

If you have additional questions, then contact Shopify Support.

Updating your domain's sitemap

Activating SSL certificates for your domain can affect your store's organic traffic temporarily. If you're using webmaster tools like Google Search Console to manage your website, then you can update your domain's sitemap manually and notify search engines immediately when your online store's URLs change from HTTP to HTTPS.

The process for updating your domain's sitemap is different depending on the webmaster tools that you use.

Google Search Console

This example shows how to update your domain's sitemap using Google Search Console. If you haven't used Google Search Console before, then you need to verify your Shopify domain first.

Steps:

  1. Log in to your Google Search Console account.
  2. From the Search Console, enter your domain (including the prefix HTTPS://), and then click ADD PROPERTY.
  3. Click the name of the domain that's been encrypted using SSL.
  4. Click Crawl, and then click Sitemaps.
  5. Click ADD/TEST SITEMAP.
  6. Enter your domain's new HTTPS sitemap (for example: https://www.your-shopify-domain.com/sitemap.xml).
  7. Remove your domain's HTTP sitemap from its profile.

Ready to start selling with Shopify?

Try it free