written by:

Without precise calculations we could fly right through a star or bounce too close to a supernova, and that’d end your trip real quick, wouldn’t it?

Er…wait, this isn’t Star Wars. Sorry!

Recently, Google has been really pushing websites to switch to HTTPS. First, news hit that HTTPS (i.e. secure) sites would get a small ranking boost over HTTP (i.e. unsecure) sites. That’s not what convinced me to switch, however. Recently news hit the wire that Google would start labeling non-HTTPS sites “unsafe” in their search engine results pages. I didn’t want my blog — which I work quite diligently on — labeled unsafe, so I took action.

I emailed my host and asked, “Hey, could you switch my site to HTTPS please? Thanks!” thinking that would be it. As if a switch just needed to be flipped and poof, secure site.

If only it were so simple.

My host explained that I needed to buy a certificate to provide them, in order to make the site secure. Now each host is going to be a little bit different in how they approach and apply this issue, but for the most part, you’re going to have to do a bunch of the busywork yourself.

So what does one need to do to switch their site?

Well, there are several steps involved, which I’m going to go through in detail, so hold on tight my friends, this could get a bit turbulent…

1. Get The CSR

First off, you need to create a Certificate Signing Request, or CSR, specifically for you and your site. There are a few ways to do this, such as using a generator like this one:


The best way, though, is to do it directly via your host. Now again, each host is different, but what mine wanted me to do was go log in via an SSH terminal and generate the code myself. You’ll have to talk to your host on the settings you’ll need to log in, but this is all done via the terminal or command prompt.

Now, once you’re logged in, this command generated a key (stick with me here, we’re getting to the CSR):Screen Shot 2016-02-24 at 3.22.56 PM

openssl genrsa -out domain.key 2048

Replace “domain” with the name of the domain you’re trying to secure, i.e:

openssl genrsa -out example.key 2048

For example.com…for example. Then, once the key is generated, enter the following:

openssl req -new -key domain.key -out domain.csr

Again, replacing “domain” with your domain, so using example.com as an example again, we’d type:

openssl req -new -key example.key -out example.csr

 Now your CSR has been generated. You’ll need to view it in order to copy its contents, so to do this, using our previous example, you’d enter:

more example.csr

Copy what it spits out and paste it into a text file, you’ll need that in a second.

2. Purchase An SSL Certificate

An SSL certificate is something you actually have to purchase. You can purchase one or multi-year increments for your certificate as well, like a domain. There are many companies that do this. I personally went with NameCheap:


After doing a bunch of research as to who to go with for this very thing. In signing up for the certificate, you need to provide them with a slew of info. There are two key things you need here:

  1. The CSR you generated in the previous step.
  2. A clear plan on whether you plan to make the both the www and non-www versions of the site secure, or just the non-www version. If you want to cover both versions of your site, you HAVE TO SPECIFY THE WWW version when denoting your domain to the SSL registrar. I made the boo-boo of thinking the non-www version covered everything, but it didn’t. Don’t be like me and goof this one up.

Once you’ve requested the certificate, there’s a waiting period where the folks granting the certificate have to verify the info you’ve given them and grant you the files you need. This could take a day or two.

3. Upload And Activate Your Certificate

Once your certificate is approved, you’ll be provided with a bunch of files to upload to your host, such as (to keep with our previous example):

  • example.csr
  • example_com.crt
  • example_com.ca-bundle
  • example_com.p7b
  • intermediate.crt

Once these are uploaded, you’ll ask your host to activate your certificate. Once activated, the HTTPS version of your site should work. However, you’re not done. Nosirreebob, not by a long shot.

4. Redirect HTTP To HTTPS

Once the certificate is up and working, you need to redirect the HTTP version of your site to the HTTPS version. For my site, I put this code into the htaccess file.

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-SSL} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Which made the redirect work.

5. CMS Implementation

Since my site is based on WordPress, I had to go into admin and change the WordPress Address and Site Address in Dashboard -> Settings -> General. This made sure the site’s URLs were HTTPS instead of HTTP. If you can’t get to your admin dashboard once the redirect is in place, add the following line to your wp-config.php:

define(‘FORCE_SSL_ADMIN’, true);

This will force the admin to work over HTTPS. That SHOULD, hopefully, be all you have to do, but you might run into other issues. For example, when I made my switch over, none of my theme’s CSS worked. I found that it was the caching plugin I was using, which hadn’t been set to HTTPS, that was preventing the theme from working.

Therefore, when you do this on your own, do some research as to your installed plugins to make sure you can be prepared for any redirection problems.

6. Getting The Green Lock

httpsThis is the final — and possibly most frustrating — part of this migration is getting the redirect working, and everything seems to work, but you still don’t have the green lock in Chrome or
Firefox denoting your site is fully secure. It could be a million little things preventing this, from images still referencing the HTTP version to other files not using HTTPS as well. I used this site:


Which was handy in that it told me which elements of my site were unsecure. With more tweaking and prodding, the site eventually got the green lock.


As you can see, it’s a very involved process to move a website from HTTP to HTTPS. It should hopefully be worth it in the long run, though.


Leave a Reply

Your email address will not be published.

Social Media

A Smorgasbord of Social Media: Facebook Updates Galore

Google’s SEO Tools
Online Advertising

Media Planning Vs. Audience Planning: Taking Resort Marketing A Giant Leap Forward
Thinking about writing for the Wpromote Blog?
Check out our Guest Blogging Guidelines!
Become An Insider! Never Miss Our Industry-Leading Content

Thanks for signing up to be a Wpromote Insider.
You’ll be the first to get the scoop on our latest services, promotions and industry news.