Secure certificate registration – ensure you choose ‘www’ or not

I’ve been helping a client move their website from their existing host to a new one, as their old host is closing down.

This was quite straightforward once they’d decided to only move the site I had written the code for, not another which was a complicated unknown entity.

The only wrinkle was they have a secure certificate to give them an https connection and we had to register a new certificate as part of the move. I did this through their host at their request, but hadn’t realised that most SSL certificates are specific to the domain, including the sub-domain. This was a mistake as they used the ‘www’ version of their address for their website, and I registered the new certificate for the non-www version.

To stop this being a problem, I put a redirect in to the .htaccess file to redirect all traffic to the non-www version on the secure connection:

RewriteEngine on
RewriteCond %{HTTP_HOST} ^www\.(.*)
RewriteRule ^.*$ https://%1/$1 [R=301,L]

The only further foible was as this was an existing site, Google had indexed the site, and shows the https version in the search results, even though the home page is not explicitly https. Now, because it points people to the https://www version of the site, it shows an unsecure error before showing the site, because the certificate isn’t valid for that on the new site.


  • Used Google Search Console (AKA Webmaster Tools) to update the preference to the non-www name
  • Updated the DNS of the www. version to point to the old server while it is still working
  • Added the above .htaccess redirect on the old server to point everyone across to the secure version of the non-www address
  • Created a new XML sitemap of the site at the secure, non-www address and re-submitted it to Google Search Console
  • Wrote an apologetic e-mail to the client explaining the mistake
  • Wrote this blog post and linked to the new site address to help the non-www address get indexed

All this means – searchers go to the old host so no security warning, then get forwarded to the new host while we wait for Google to respond to the preference change. I hope it comes through quickly.

And now I’ll go back to my scheduled work a wiser, if more tired, man.

Leave a Reply

Your email address will not be published. Required fields are marked *