← All Posts Security

SSL Certificate Best Practices for Server Migrations

By Mark Bolton, creator of HostCheck Published 20 February 2025 Editorial policy

SSL issues are one of the fastest ways to turn a technically successful migration into a public failure. The files may be in place and the database may work, but if the certificate, redirect logic, or mixed-content behaviour is wrong, visitors will see warnings before they ever reach the site. That is why SSL needs its own cutover plan.

What Usually Goes Wrong

  • Missing certificate: the new server answers, but only over HTTP or with a mismatch warning
  • Broken redirect logic: HTTP to HTTPS rules loop or send visitors to the wrong host
  • Mixed content: pages load over HTTPS but still reference insecure scripts, images, or stylesheets
  • Renewal gap: the old host renewed the certificate automatically, but the new server does not

A Practical SSL Cutover Order

First make the site behave correctly over plain HTTP on the new server. Then confirm the virtual host, paths, and redirects work for the real domain. After that, issue or install the certificate, check the full certificate chain, and only then enable aggressive HTTPS redirects or HSTS. Turning on strict redirect rules too early is what creates many migration-day loops.

How to Test Before DNS Changes

Use HostCheck to confirm that the site answers correctly for the real domain on the target IP. That helps you catch wrong-origin behaviour, redirect issues, and mixed-content problems before the cutover. Then, once DNS is live, run a final browser and certificate validation check against the public domain.

Shared Hosting to VPS Is a Common Trap

When leaving shared hosting, certificate renewal is often the hidden dependency. The previous host may have been issuing and renewing certificates automatically through cPanel or their own panel. On a VPS, that automation needs to be recreated explicitly with Certbot or another ACME client.

Final Checks

  • Homepage and key landing pages load over HTTPS
  • There are no mixed-content warnings in the browser
  • Redirects from HTTP to HTTPS are single-hop and correct
  • Renewal is configured and documented on the new host

Conclusion

SSL should be treated as a migration workstream, not a final toggle. If you verify routing first, certificates second, and browser behaviour last, you avoid the most common HTTPS failures that appear after a cutover.

About this article: This guide is published under the direction of Mark Bolton, creator of HostCheck, for developers, site owners, and migration teams working through real hosting changes. Content is reviewed for accuracy, updated when technical practices change, and corrected when readers report issues.

Learn more on our Editorial Policy page or browse the Resource Centre for grouped migration, DNS, security, and troubleshooting guides.

Try HostCheck Now - It's Free