SSL certificate and HTTPS: 2 tests that can tank your credibility

An expired certificate triggers a full-screen browser warning. A missing HTTPS redirect leaks data. Tests #09 and #36 catch both instantly.

There are two types of website problems: the ones visitors notice eventually, and the ones that slap them in the face immediately. An expired SSL certificate is the second type. The browser displays a full-screen warning — "Your connection is not private" — and most visitors leave without ever seeing your site.

But even when the certificate is valid, things can go wrong. If HTTP doesn't redirect to HTTPS, visitors can land on an insecure version of your site. If the page loads mixed content (HTTP resources on an HTTPS page), the padlock disappears. Trust erodes silently.

Orilyt runs two complementary tests. Test #09 validates the SSL certificate itself — is it valid, does it match the domain, when does it expire? Test #36 checks HTTPS enforcement — does HTTP redirect to HTTPS, and are there mixed content issues? Together, they cover the full HTTPS security surface.

Test #09: Is your SSL certificate valid?

Test #09 performs a real TLS handshake with the server and inspects the certificate. It checks:

1. TLS handshake — can the server establish a secure connection? If the handshake fails entirely, the score is 0. The site is effectively unreachable over HTTPS
2. Certificate expiry — how many days until the certificate expires? Under 7 days = score 55, under 14 days = 65, under 30 days = 75. Already expired = score 20
3. Hostname match — does the certificate's CN or SAN match the domain? A mismatch triggers a browser warning just like an expired cert. Score drops to 20
4. TLS protocol version — the test reports which TLS version was negotiated (TLS 1.2, 1.3). Older protocols like TLS 1.0/1.1 are deprecated and insecure

A healthy certificate with more than 30 days to expiry and a matching hostname scores 100. If the audited URL uses HTTP instead of HTTPS (even with a valid cert), the score caps at 80 — because the visitor isn't actually using the secure connection.

Test #36: Is HTTPS actually enforced?

Having a valid certificate is necessary but not sufficient. Test #36 checks two things:

1. HTTP to HTTPS redirect — if a visitor types http://yoursite.com, does the server redirect them to https://? Without this, every direct visit or old link leads to the insecure version. Score: 95 with redirect, 60 without
2. Mixed content — even on an HTTPS page, if images, scripts, or stylesheets are loaded via HTTP, browsers flag the page as partially insecure. The padlock disappears. Score: 70 when mixed content is detected

If the audited URL itself uses HTTP (not HTTPS), the score drops to 0. This means the site has no HTTPS at all — or the URL was entered incorrectly.

Mixed content is particularly insidious because it can go unnoticed. The page loads, everything looks fine — but the padlock icon is gone, and security-conscious visitors (and Google) notice.

Common causes and quick fixes

Most SSL/HTTPS issues are easy to fix once identified:

1. Certificate expired — auto-renewal failed (Let's Encrypt cron job broken, hosting panel misconfigured). Fix: renew manually, then fix auto-renewal. Takes 5 minutes
2. No HTTP→HTTPS redirect — the .htaccess or server config doesn't redirect HTTP to HTTPS. Fix: add a RewriteRule or server block. Two lines of code
3. Mixed content — old content has hardcoded http:// URLs. Fix: search and replace in the database (Better Search Replace plugin) or use a Content-Security-Policy: upgrade-insecure-requests header
4. Wrong domain on certificate — the certificate was issued for www.example.com but the site runs on example.com (or vice versa). Fix: reissue with SAN covering both

The key pattern: these are all configuration issues, not code issues. They're fast to fix and high-impact — exactly the kind of finding that justifies an audit.

SSL/HTTPS as a selling point

For freelancers and agencies, SSL/HTTPS findings are some of the most powerful in any audit. They're visual, urgent, and universally understood:

In the Orilyt report, the two tests generate clear FIA recommendations:

1. Fact: "SSL certificate expires in 5 days" or "No HTTP to HTTPS redirect detected"
2. Impact: "Browsers will block the site in 5 days" or "Visitors on HTTP see no encryption — data is transmitted in plain text"
3. Action: "Renew the certificate immediately" or "Add a 301 redirect from HTTP to HTTPS in the server configuration"

These findings create urgency. A client who sees "your certificate expires in 5 days" acts immediately. A client who sees "no HTTPS redirect" understands the risk without needing a technical explanation. It's the easiest audit finding to sell.

The foundation of trust — checked in 2 seconds

HTTPS is not a feature. It's a baseline. Google requires it for ranking. Browsers warn without it. Visitors leave at the first sign of insecurity. Tests #09 and #36 verify this foundation in seconds.

If the certificate is valid, the redirect works, and there's no mixed content — you're good. If any of these fail, it's the first thing to fix before any other optimization matters.

For client audits, SSL/HTTPS is the conversation starter. It's visual, it's urgent, and the fix is fast. If you find a problem here, you've already justified the audit.