SSL HTTPS Senegal: installation, pricing and choices in 2026

SSL HTTPS Senegal: never see the crossed-out padlock again

A cosmetics e-commerce based in Mermoz that woke up SSL-less on a Monday morning. Let's Encrypt auto-renew had been broken for 3 months (the founder hadn't seen the emails). Chrome was displaying "Not secure" in red next to the domain name. Day's outcome: 23 carts abandoned at payment step, 870,000 FCFA of revenue gone. Fixed in 25 minutes after our intervention.

In 2026, a site without HTTPS is not a site. Chrome, Safari, Firefox display an explicit warning. Google demotes SEO ranking. Wave, Orange Money, Stripe APIs refuse integration. And above all: no serious customer types their card on a "Not secure" site.

Why HTTPS became non-negotiable

Three solid technical reasons in 2026:

• User trust: 81% of Senegalese recognize the green padlock (IPSOS Africa 2025 study). Without it, conversion rate divided by 2 to 4 depending on sector.
• SEO: ranking signal since 2014, became a major criterion in 2023 with mobile-first indexing.
• Payment APIs: Wave Business, Orange Money, Stripe, PayPal require HTTPS for webhooks and frontend.

The 4 SSL options for a Senegalese site in 2026

1. Let's Encrypt free — the reference

Default option since 2016. DV (Domain Validated) certificate, renewed every 90 days automatically via the 'certbot' client or via the hosting panel.

Best for: marketing sites, blogs, SMEs, e-commerce under 50M FCFA/year. Avoid if: you're a bank, insurer, or institutional platform that needs the entity name in the address bar.

2. Cloudflare Flexible SSL free

When you enable Cloudflare (free) on your domain, you immediately get a shared SSL certificate covering visitor ↔ Cloudflare traffic. The Cloudflare ↔ your server traffic can stay HTTP (Flexible mode) or be encrypted separately (Full or Full Strict mode).

Setup in 15 minutes, zero maintenance. The trap: in Flexible mode your origin is unencrypted, creating man-in-the-middle risk between Cloudflare and your VPS. Always prefer Full or Full Strict with a Cloudflare Origin certificate (15-year, free) installed on your server.

3. Paid DV / OV cert — for those who need it

Hosts like Sectigo, Comodo, GeoTrust offer DV SSLs at 15,000 to 60,000 FCFA/year. No technical advantage vs Let's Encrypt. The only point is insurance (Sectigo covers up to $250,000 in fraud). Never recommended for a standard SME.

4. EV SSL (Extended Validation)

The highest level: DigiCert or GlobalSign verify the entity's legal existence (Kbis, NINEA, bank docs). The browser shows the company name in the address bar. Cost: $250 to $700/year depending on vendor.

For: banks, insurers, e-commerce > 200M FCFA/year, institutional platforms. For a standard Senegalese SME, it's over-engineering.

Cost summary table in Senegal

Installing Let's Encrypt on cPanel — step by step

Most Senegalese hosts (1Africahost, HostKey, Senehost) ship cPanel with Let's Encrypt AutoSSL enabled. Procedure:

• cPanel login → 'Security' section → 'SSL/TLS Status'
• Check the main domain + subdomains to cover
• Click 'Run AutoSSL'
• Wait 2 to 5 minutes — cert is issued and installed
• Force HTTP to HTTPS redirect via the '.htaccess' file (host often has a toggle)

Cost: 0 FCFA. Time: 15 minutes. Auto-renewal every 60 to 80 days.

Installing Let's Encrypt on a dedicated VPS — certbot

For a DigitalOcean, OVH, Hetzner VPS without cPanel:

• SSH into the server
• Install certbot ('apt install certbot python3-certbot-nginx' on Debian/Ubuntu)
• Run 'certbot --nginx -d yourdomain.com -d www.yourdomain.com'
• Follow the wizard (email + ToS acceptance)
• Auto-renew cron is added automatically

Cost: 0 FCFA. Time: 25 to 50k FCFA if outsourced (1 hour of typical work).

The 5 classic SSL mistakes in Dakar

• Mixed content: page loaded over HTTPS but includes HTTP images — Chrome blocks or warns
• Broken auto-renew: certbot installed but cron forgotten — cert expires at 90 days with no alert
• Subdomains not covered: 'blog.domain.com' forgotten in the SAN
• Too-aggressive HSTS: 'max-age' set to 1 year before full validation, no rollback possible
• Cloudflare in Flexible mode without realizing — origin in cleartext

Our 1-day method

Audit: 1 hour (Qualys SSL Labs grade, auto-renew check, mixed content scan).

Setup: 2 hours (Let's Encrypt or Cloudflare Full Strict + Origin Cert).

Tests: 1 hour (multi-device test, HSTS validation, payment verification).

Client handoff: 30 minutes (monthly verification procedure).

Best for: any site without HTTPS, or with expired cert, or with mixed content. Avoid if: your case demands EV SSL (we route you to DigiCert via a partner).

WhatsApp +221 77 596 93 33 or 15-minute free SSL audit at /en/free-quote.

FAQ

What does an SSL cert really cost for an SME site in Senegal?

0 FCFA in 90% of cases. Let's Encrypt on cPanel or free Cloudflare is plenty. If your provider charges 50 to 100k FCFA/year for "the SSL", they're selling a config service, not the certificate itself.

Is Let's Encrypt secure for an e-commerce site?

Yes, entirely. Same cryptography as paid certs (RSA 2048 or ECDSA), recognized by all browsers. The difference with EV SSL is legal identity validation, not encryption strength.

My site is on WordPress at 1Africahost, how do I enable SSL?

Via cPanel → 'SSL/TLS Status' → 'Run AutoSSL' (procedure above). Then install the 'Really Simple SSL' plugin which forces HTTPS redirect and fixes mixed content in 2 clicks.

HSTS, what is it and should I enable it?

HSTS (HTTP Strict Transport Security) forces the browser to always use HTTPS, even if the user types 'http://'. Recommended once everything is tested. Start with 'max-age=86400' (1 day) before moving to 1 year, so you can roll back if needed.