16

We currently have a website set to redirect to a new address (our client changed domain names, but wants the old domain to send people to the new site) in IIS 8.5 using permanant redirects found in the 'HTTP Redirect' feature for the site.

The SSL cert has come up for renewal for the old domain, and there is an open question in our tech department as to whether or not it needs to be renewed.

With the HTTP Redirect set up in IIS, does the site need an SSL cert? Or will a visitor be redirected before such things are checked?

Steffen Ullrich
  • 12,227
  • 24
  • 37
Jeff
  • 313
  • 2
  • 3
  • 8

4 Answers4

24

A redirect from http://old.example.com to https://new.example.com does not require a certificate for old.example.com. But a redirect from https://old.example.com to https://new.example.com does.

If people's bookmarks or search engine search results or other external links point to the https site, you better renew the cert. If you merely assume that people type old.example.com into their browser, you may not need it. (However, if they were on your site before and the browser autocompletes to the https-url, you still need it).

As I understand you already have the redirection in place for some time, the best thing to check (as Tim Brigham already said) your web logs and evaluate whether it is worth the hassle. Then again, even if for some reason you need an expensive cert for your main site (for example, with Extended Validation), the redirecting site should be fine with one of the generally accepted free certs (startssl, letsencrypt, ...)

kasperd
  • 29,894
  • 16
  • 72
  • 122
Hagen von Eitzen
  • 816
  • 3
  • 15
  • 41
17

Yes, you will need a new certificate if the redirection is done in a HTTP response (a 301 or 302 return code). If you don't the redirect will not work, visitors of the old domain will get an error the certificate expired if they visit the old domain via HTTPS.

Teun Vink
  • 1,837
  • 11
  • 14
2

Renewing your certificate is relatively cheap insurance, but it may be unnecessary.

tl; dr;

You may or may not need to renew the certificate. A lot of sites still use plain http for incoming traffic. If the old site only cut over to https when in the cart or the like there isn't a strong reason to renew, especially if the redirection has been in place for a while.

I would personally review the IIS logs for the instance to see if / how many requests to the old domain are actively using HTTPS and proceed from there.

Tim Brigham
  • 15,465
  • 7
  • 72
  • 113
0

Lets assume you are moving a site from www.olddomain.com to www.newdomain.com

In order to respond to a request for https://www.olddomain.com/ without causing scary warnings you need a certificate that covers https://www.olddomain.com/ . This applies regardless of whether the response you want to send is a redirect or not.

On the other hand a request for http://www.olddomain.com/ can be responded to without needing any certificates.

Users who just type your site name will likely end up making a request for http://www.olddomain.com/ (unless you are using HSTS) but if your old site previously redirected everyone to https then it is likely that bookmarks and incoming links will use the https url. If your old site used HSTS then nearly all incoming requests are likely to be on https.

Rather than having seperate certificates for the old and new domain it may be better to have a single certificate which covers both domains. This will allow you to host both domains on the same IP address without relying on SNI. The downside of this approach is that many CAs consider multi-domain to be a premium feature and charge accordingly.

Peter Green
  • 4,056
  • 10
  • 29