FAQ Library
SSL & TLS certificates
How HTTPS, certificates and renewals work on Blanca's Builder.
- What is SSL/TLS in simple terms?TLS (often still called SSL) encrypts the connection between visitors and your site so passwords, payments and form data cannot be read in transit.
- Why does HTTPS matter beyond security?HTTPS unlocks modern browser features (geolocation, push notifications, HTTP/2), is a ranking signal in Google, and removes the 'Not secure' warning in browsers.
- Is SSL included free with Blanca's Builder?Yes. Every custom domain gets a free Let's Encrypt certificate that renews automatically. There is nothing to buy or configure.
- How is the certificate issued for my domain?When you connect a domain, the platform proves control via an HTTP challenge or DNS challenge to Let's Encrypt, which issues a 90-day certificate that auto-renews.
- Do I need to renew my certificate manually?No. Renewal happens 30 days before expiry. You only need to act if the domain stops resolving — renewal needs DNS to be intact.
- Do you support wildcard certificates?Yes, on Builder and higher. Wildcards (*.example.com) need DNS-based validation and are issued automatically when you add a wildcard subdomain at /domain.
- Do you offer Extended Validation (EV) certificates?No. Browsers no longer show EV indicators differently from DV, so EV is no longer recommended. We use trusted DV certificates from Let's Encrypt.
- What is HSTS and is it enabled?HSTS tells browsers to always use HTTPS for your domain, preventing downgrade attacks. It is enabled by default with a 6-month max-age after first launch.
- Should I enable HSTS preload?Optional. Preloading hard-codes HTTPS into browsers but is hard to undo. Enable it only when you are 100% certain every subdomain will stay on HTTPS forever.
- Visitors see an SSL error in their browser. What now?Check /domain for certificate status. The common causes are DNS pointing somewhere else, a clock skew on the visitor's device, or an extension intercepting TLS.
- Is HTTP automatically redirected to HTTPS?Yes. Every HTTP request is 301-redirected to HTTPS at the edge. No configuration required.
- Can I upload my own certificate?Yes, on Enterprise. Upload a PEM-encoded certificate and private key in Settings, Domains, Custom certificate. Renewal is then your responsibility.
- Which TLS versions are supported?TLS 1.2 and TLS 1.3 only. TLS 1.0 and 1.1 are disabled because they are no longer secure. This matches PCI-DSS and most compliance baselines.
- Which cipher suites are allowed?Modern AEAD suites with forward secrecy (ECDHE + AES-GCM or ChaCha20-Poly1305). RC4, 3DES and CBC suites are disabled.
- What rating does my site get on SSL Labs?A+ by default. The Blanca's Builder edge configuration covers HSTS, modern cipher suites and OCSP stapling out of the box.
- Is certificate transparency supported?Yes. Every certificate is logged in public CT logs, which Chrome and Safari require. You can monitor issuance for your domain at crt.sh.
- Do you support mutual TLS for API clients?Yes, on Enterprise. mTLS can be enabled per route under Settings, Security. Client certificates are managed through your existing PKI.
- Why do other hosts charge for SSL?Because they predate Let's Encrypt or sell EV/OV certificates as add-ons. Modern automated DV certificates are essentially free.
- Do staging URLs also use HTTPS?Yes. Every blancasbuilder.com subdomain — including preview and staging — has a valid certificate from the wildcard.
- Do TLS certificates apply to my email too?No. Email TLS uses separate certificates issued by your mail provider (often Cloudflare, Google or Resend). Connecting your domain here does not change email.