SSL/TLS security during migration: certificate, HTTPS and customer trust
Without a valid SSL certificate, a red warning appears right in the address bar: enough to scare off the majority of visitors.
- HTTPS must be operational before switching over real traffic, never after
- The 301 redirect from http to https must cover every subpage, not just the root
- A free certificate (Let's Encrypt) is enough for the vast majority of sites
- A renewal alert 60 days before expiry prevents any outage
Why SSL/HTTPS is essential during a migration
It's the first trust signal displayed by modern browsers. Without a valid certificate, a red warning appears right in the address bar. Google has also treated HTTPS as a ranking factor since 2014: migrating without SSL risks a drop in search rankings. If the old site was already on HTTPS, consistency preserves the accumulated history of trust.
Choose the right type of SSL certificate
Wildcard
Covers all the subdomains of a domain.
Multi-domain
Secures several distinct domains in a single certificate.
Single
The most common, for a single domain.
All three offer the same level of encryption: the difference lies in domain coverage. Many hosts offer a free certificate (Let's Encrypt) that is enough for the vast majority of brochure sites.
Install and configure HTTPS before the actual migration
HTTPS must work before switching over real traffic. Obtain the certificate, generate the signing request (CSR), verify domain ownership, then install the certificate and private key on the new server. Then test with a free tool (SSL Labs) to check for any errors and confirm compatibility before triggering the DNS migration.
301 redirects to HTTPS: avoiding the mistakes that break SEO
A 301 redirect from http to https preserves all the search authority you've accumulated. Configure it at the server level (Apache, Nginx), not in the application. A common mistake: redirecting every http page to the https root instead of its equivalent page. Check that each subpage follows its own redirect before considering the migration complete.
The HTTPS configuration and clean redirects are among the foundations laid from the very start in every website creation and redesign project.
Monitor and renew the certificate after the migration
An expired certificate triggers a critical error for every visitor. Set up an alert 60 days before expiry, or use a monitoring tool that regularly tests the certificate. With Let's Encrypt, renewal is automatic every three months, but check that the scheduled task is actually running. After the migration, review Search Console to detect any mixed content (HTTPS pages with resources loaded over HTTP).
Frequently asked questions
Is a free certificate enough?+
Yes for the vast majority of sites: the encryption is identical to a paid certificate.
What happens if I forget a redirect on a subpage?+
The page returns a 404 error and loses all its accumulated search authority: test a large sample before validating.
How long does an SSL certificate stay valid?+
From 90 days (Let's Encrypt, renewed automatically) to 1-3 years for standard paid certificates.