How to Fix Your SSL Certificate on BigCommerce

You can do this

BigCommerce gives every store a free certificate, provisioned and renewed automatically. When SSL fails here it is almost always one of three things: waiting time, a missing DCV record, or mixed content. Here is how to tell them apart.

The certificate itself is handled for you. Your job is pointing the domain correctly and cleaning up what your own pages load.

What BigCommerce does for you

Every BigCommerce store gets a free SSL certificate. It is provisioned automatically and renewed automatically. You do not buy it, install it, or diary its expiry.

One small note we will be honest about: BigCommerce does not name the certificate authority it uses. Plenty of guides assume Let's Encrypt. We cannot confirm that, so we will not claim it. This matters if you use CAA records, which restrict which authorities may issue for your domain. If you have CAA records in place and your certificate will not issue, that is a strong suspect, and BigCommerce support can tell you which issuer to authorise.

If it is brand new, wait

Certificate provisioning can take up to 48 hours after you connect a domain. That is normal and it is not a fault.

If you connected your domain an hour ago and HTTPS is not working, the fix is usually patience. Come back tomorrow before you start changing DNS. Half the "broken SSL" panics are a store owner refreshing a page that simply is not ready yet.

The DCV gotcha that actually breaks things

This is the one worth your attention, and it is specific to BigCommerce.

If your domain is pointed to BigCommerce using BigCommerce nameservers, domain control validation is handled for you and there is nothing to do.

But if your domain is pointed by CNAME or A record instead, you must add DCV records at your registrar yourself. Without them the certificate simply fails to install. It will not eventually sort itself out. Nothing will happen until those records exist.

So before you assume anything is wrong with BigCommerce, check how your domain is connected. That one answer explains most stuck certificates.

Do things in the right order

Order matters more than people realise, and getting it wrong can lock visitors out of a working site.

  1. 1.Certificate first. Confirm it is issued and your storefront loads over https:// with no browser warning.
  2. 2.Then force HTTPS. Every page, not just checkout. Make sure http:// requests land on https://.
  3. 3.Then mixed content. Clear the warnings before you go further. See below.
  4. 4.Then HSTS, last. Only once everything above is solid sitewide. You will find it in the same panel covered in our BigCommerce security headers guide.

Mixed content

Once HTTPS works, you may still see a broken padlock. That is mixed content: your secure page is loading something over plain http://. An image, a script, a font, a widget.

Browsers treat scripts loaded over http:// on an https:// page as a real risk, and often block them outright, so this shows up as things quietly not working as well as a missing padlock.

On BigCommerce the usual sources are hardcoded http:// URLs in product descriptions, page content, theme settings and third-party snippets you pasted in months ago. Open your browser's developer console on the affected page. It names the exact URLs. Fix each one to https:// at the source.

Avoid protocol-relative URLs like //example.com. They are a legacy pattern and are no longer recommended. Write the full https:// URL.

Bringing your own certificate

BigCommerce does support third-party and custom certificates, which sets it apart from Shopify, Wix and Squarespace, where they are simply prohibited. According to our research this sits on the higher tiers, referred to as Scale and Performance.

Be careful reading anything about BigCommerce plans right now. The tiers were renamed on 1 June 2026: Standard became Core, Plus became Growth, Pro became Scale, and Enterprise became Performance. Guides written before that date use the old names. Confirm your plan's current capability with BigCommerce rather than trusting an article, including this one.

Honest take: the free automatic certificate is right for nearly every store. A custom certificate is worth the trouble only if you have a specific compliance or organisational requirement. The free one renews itself. A custom one is a job you now own.

A word on HSTS preload

Once HTTPS is solid, HSTS is a good idea. Preload is a bigger commitment than it looks.

To qualify, hstspreload.org requires a max-age of at least 31536000, plus includeSubDomains, plus preload, a valid certificate, an HTTP to HTTPS redirect on the same host, and every subdomain served over HTTPS. On BigCommerce that means the one-year HSTS option with includeSubDomains.

The catch: inclusion cannot easily be undone, and removal takes months to reach users through a Chrome update. If a subdomain of yours is not on HTTPS, preloading makes it unreachable for real people for a long time. Enable HSTS. Think hard before preloading. Our HSTS glossary entry covers the trade-off.

Quick diagnosis

Match the symptom to the cause before you change anything.

  • Connected the domain today, no HTTPS yet. Wait. Provisioning takes up to 48 hours.
  • Been days and the certificate never installs. Check how the domain is pointed. If it is CNAME or A record rather than BigCommerce nameservers, you owe DCV records at your registrar.
  • HTTPS works but the padlock is broken. Mixed content. Open the developer console and fix the http:// URLs it names.
  • Certificate will not issue and you use CAA records. Your CAA may not authorise BigCommerce's issuer. BigCommerce does not publish who that is, so ask their support.
  • Not sure what your store is actually serving. Run a free check. It reports the certificate, the redirect behaviour and the headers as a visitor would see them.
Check your work in seconds

Run your site through our free safety check to confirm the fix is live, and see what else a shopper would notice.

Run a free check

Frequently asked questions

Does BigCommerce include a free SSL certificate?

Yes. Every store gets one, provisioned automatically and renewed automatically. There is nothing to buy and nothing to diary. Provisioning can take up to 48 hours after you connect a domain.

My BigCommerce certificate will not install. What is wrong?

Check how your domain is pointed. If it is connected with BigCommerce nameservers, validation is handled for you. If it is pointed by CNAME or A record instead, you must add DCV records at your registrar yourself, and until you do the certificate simply fails to install.

Which certificate authority does BigCommerce use?

BigCommerce does not name its issuer, so we will not guess. Some guides assume Let's Encrypt and we cannot confirm that. It only matters if you use CAA records to restrict issuance. If you do and the certificate will not issue, ask BigCommerce support which issuer to authorise.

Can I use my own SSL certificate on BigCommerce?

Yes, which is unusual among hosted platforms. Our research puts third-party certificate support on the higher tiers, named Scale and Performance since the June 2026 rename. Confirm with BigCommerce, because plan names and capabilities have moved recently. For most stores the free automatic certificate is the better choice, because it renews itself.

HTTPS is working but the padlock is still broken. Why?

That is mixed content. The page is secure but something on it loads over plain http://, usually an image, script or widget with a hardcoded URL in a product description or theme setting. Your browser console lists the exact URLs. Change each to https:// at the source. Do not use protocol-relative URLs like //example.com, which are a legacy pattern.

SSL certificate on other platforms

Other fixes for BigCommerce

See the full fix-it matrix →

Prove your site is safe.

Once it is fixed, show it. Get a badge your shoppers can verify, backed by continuous checks. Free to start.

Get started free Run a free check