Is an SSL Cert needed for redirects?

redirect ssl 301-redirect iis-8.5

We currently have a website set to redirect to a new address (our client changed domain names, but wants the old domain to send people to the new site) in IIS 8.5 using permanant redirects found in the 'HTTP Redirect' feature for the site.

The SSL cert has come up for renewal for the old domain, and there is an open question in our tech department as to whether or not it needs to be renewed.

With the HTTP Redirect set up in IIS, does the site need an SSL cert? Or will a visitor be redirected before such things are checked?


A redirect from http://old.example.com to https://new.example.com does not require a certificate for old.example.com. But a redirect from https://old.example.com to https://new.example.com does.

If people's bookmarks or search engine search results or other external links point to the https site, you better renew the cert. If you merely assume that people type old.example.com into their browser, you may not need it. (However, if they were on your site before and the browser autocompletes to the https-url, you still need it).

As I understand you already have the redirection in place for some time, the best thing to check (as Tim Brigham already said) your web logs and evaluate whether it is worth the hassle. Then again, even if for some reason you need an expensive cert for your main site (for example, with Extended Validation), the redirecting site should be fine with one of the generally accepted free certs (startssl, letsencrypt, ...)


Yes, you will need a new certificate if the redirection is done in a HTTP response (a 301 or 302 return code). If you don't the redirect will not work, visitors of the old domain will get an error the certificate expired if they visit the old domain via HTTPS.


Renewing your certificate is relatively cheap insurance, but it may be unnecessary.

tl; dr;

You may or may not need to renew the certificate. A lot of sites still use plain http for incoming traffic. If the old site only cut over to https when in the cart or the like there isn't a strong reason to renew, especially if the redirection has been in place for a while.

I would personally review the IIS logs for the instance to see if / how many requests to the old domain are actively using HTTPS and proceed from there.

Related

How to disable sftp for some users, but keep ssh enabled?
Is it possible to have a secondary managed DNS provider to quickly delegate to when DDOS attack on our *primary* external DNS provider happens?
What does limit performance of scp?
Allow root login from one IP address only
Update PHP with yum on Amazon Linux
Understanding smartctl -a output
Linux device-mapper maps LVM PV nested inside LV when taking snapshot
Change default from address from Postfix from www-data to something else
to www or not to www [duplicate]
How do you test iptables rules to prevent remote lockout and check matches?
NFSv4 User Mapping
How do I setup monitoring of MySQL with Fail2ban?