HTTP to HTTPs Migration Guide

For this guide, Wpromote University felt like it would be best to provide a real, step-by-step example of migrating a site from HTTP to HTTPs, so the following is an actual experience of Wpromoter Brian Rubin.

Unlike some documents I’ve written for Wpromote University (Hi, Brian Rubin here), this one is going to be a bit less formal and a bit more like a story. Why? Because I’ve only done this kind of migration once, with my own site. I’ve come to learn that the way I did it is pretty standard, so this should still cover all the bases. This is also done on an Apache-based server, but should also work for NGINX as well. Doing this for an IIS site is a bit different, but happens so infrequently that we can cover it in another document if need be.

So, Google has been really pushing websites to switch to HTTPS recently. First, there was word that HTTPS (i.e. secure) sites would get a small ranking boost over HTTP (i.e. unsecure) sites. That’s not what convinced me, however. Soon news broke that Google would start labeling non-HTTPS sites “Unsafe” in their search engine results pages (SERPs). I didn’t want my beloved blog labeled unsafe, so I took action.

I emailed my host and asked, “Hey, could you switch my site to HTTPS please? Thanks!” thinking that would be the end of it. As if some switch just needed to be flipped and poof, secure site.

If only it were so simple.

My host explained that I needed to buy a certificate and provide it to them in order to make the site secure. Now each host is going to be a little bit different in how they approach and apply this issue, but for the most part, you’re going to have to a bunch of the busywork yourself.

So how does one switch their site?

Well, there are several steps involved, and I’m going to go through each in detail, so hold on tight my friends, this could get bumpy.

1. Get The CSR

Number one, you need to generate a Certificate Signing Request, or CSR, specifically for you and your site. There are a few ways to do this, such as using a generator like this one:

The best way, though, is to do it directly through your host. Now again, each host is different, but what my host wanted me to do was go log in via an SSH terminal and generate the code myself. You’ll have to talk to your host on the settings you’ll need to log in, but this is all done via the terminal.

Now, once logged in, this command generated a key (stick with me here, we’re getting to the CSR):

openssl genrsa -out domain.key 2048

Replace “domain” with the name of the domain you’re trying to secure, i.e:

openssl genrsa -out example.key 2048

For Then, once the key is created, you enter the following:

openssl req -new -key domain.key -out domain.csr

Again, replacing “domain” with your domain, so using as an…ahem…example again, we’d type:

openssl req -new -key example.key -out example.csr

Now your CSR has been created. You’ll now need to view it in order to copy its contents, to do this, using our previous example, you’d type:

more example.csr

Copy what it spits out and paste it into a text file, you’ll need that in a moment.

2. Purchase An SSL Certificate

An SSL certificate is something you actually have to purchase, such as a domain. You can purchase one or multi-year increments for your certificate as well, again like a domain. There are many companies that do this. I personally went with NameCheap:

After doing a bunch of research as to who to go with for this very thing. In signing up for the certificate, you need to provide them with a bunch of information. There are two key things you need here:

  1. The CSR you generated in the previous step.
  2. A clear plan on whether you plan to make the both the www and non-www versions of the site secure, or just the non-www version. If you want to cover both versions, you have to specify the WWW version when denoting your domain to the SSL registrar. I made the mistake of thinking the non-www version covered everything, but it didn’t. Don’t be like me.

Once you’ve requested the certificate, there’s a waiting period where the folks granting the certificate have to verify the information you’ve provided and grant you the files you need. This could take a day or two.

3. Upload And Activate Your Certificate

Once your certificate is approved, you’ll be provided with some files to upload to your host, such as (to keep with our previous example):

  • example.csr
  • example_com.crt
  • example_com.p7b
  • intermediate.crt

Once these are uploaded, you’ll ask your host to activate your certificate. Once activate, the HTTPS version of your site should work. However, you’re not done.

4. Redirect HTTP To HTTPS

Once the certificate is up and running, you need to redirect the HTTP version of your site to the HTTPS version. For my own site, I inserted this code into the htaccess file.

RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-SSL} !on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Which made the redirect work.


5. CMS Implementation

Since my site is WordPress, I had to go into admin and change the WordPress Address and Site Address in Dashboard -> Settings -> General so their URLS were HTTPS instead of HTTP. If you can’t get to your admin once the redirect is in place, add the following line to wp-config.php:

define('FORCE_SSL_ADMIN', true);

Which will force the admin to work over HTTPS. That should be all you have to do, but you might run into other issues. For example, when I made my switch, none of my theme’s CSS worked. I found that it was the caching plugin I was using, which hadn’t been set to HTTPS, that was preventing the theme from working.

Therefore, it would be helpful to do some research as to your installed plugins to make sure you can be prepared for any redirection issues.

6. Getting the Green Lock

This is the final, and possibly most frustrating part of this migration is getting the redirect working, and everything seems to work, but you still don’t have the green lock in Chrome or Firefox denoting your site is fully secure. It could be a million little things preventing this, from images still referencing the HTTP version to other files not using HTTPS as well. I used this site:

Which was handy in that it told me which elements of my site were unsecured. With more tweaking and prodding, the site eventually got the green lock.



As you can see, it’s quite an involved process moving a website from HTTP to HTTPS. As an SEO professional and not a site’s IT person, it’s rare you’ll have to do this yourself, but if you do, at least you’ll be prepared. Don’t hesitate to ask questions if you have any, and good luck!

written by: Brian Rubin

Check Out Other Relevant Guides

Get Educated! Recieve Wpro U Updates, Case Studies & More

Thanks for signing up to be a Wpromote Insider.
You’ll be the first to get the scoop on our latest services, promotions and industry news.