What is it?
An SSL Certificate changes the protocol used to access your site from http:// to https:// As shown in the picture, if your site has a properly configured certificate, it will either show a padlock icon, the word Secure, or something similar. Or, if you do not have one, it may show Not Secure or display some other warning.
A Certificate is purchased from a Certificate Authority and it is applied to your site in what are actually a complicated and tedious set of steps. It must be renewed, typically on a 1-6 year basis.
Why do I need one?
Because Google says you do. Unfortunately, the vast majority of sites do not actually need one, nor do they benefit in any way from having one. The idea is to encrypt the communication between the visitor and the web server in case the visitor is sending sensitive data (like their credit card information), or in case they are receiving sensitive information (financial reports and the like).
However, Google does not care if your website does not do this. It wants all sites to use SSL just in case. If you do not use SSL, then your site may receive a small penalty in search engine listings. Therefore it is a good idea to go along with Google.
Can I get a free certificate?
Yes, but you will have to renew it every 30 to 90 days. It is not worth the hassle. The price of purchasing a certificate that is good for 6 years works out to only $13/year.
What kinds of certificates are there?
There are quite a few, and they can be very expensive if you make the wrong choice. Typically, your website will only require what is called a single domain certificate. It is the most inexpensive certificate available, and it is all that your website needs in order to get the padlock icon that will satisfy Google.
Does SSL make my site more secure?
No. This is a common mis-conception. SSL only encrypts the data sent to and from your browser. It does nothing to protect the site itself. Hackers and botnets could care less if they use https:// to attack your site instead of http://
Although your website is still vulnerable to attacks, it can be protected using other methods.