To configure a website to serve HTTPS, you will need to modify the web server’s configuration. If you don’t have access to the configuration, talk to your hosting provider and read their HTTPS documentation.
Decide on SNI support
Server Name Indication (SNI) allows a client to connect to different sites hosted on a single IP address. Most web hosts only work with SNI by default, so supporting older clients that don’t support SNI (e.g. Internet Explorer on Windows XP) is an extra configuration step. Learn more about SNI, and decide whether or not to support these clients.
Get a certificate and private key
A web server needs a private key and a certificate (which includes a public key) to serve HTTPS.
A certificate should be acquired from a trusted certificate authority.
SSLMate is a nice command-line tool to purchase certificates.
Let’s Encrypt is a free certificate authority in beta. You can use their client to generate certificates. They are valid for 90 days, so you’ll need to renew often. They’re actively working on automating the renewal process.
Serve HTTP and HTTPS
Configure your site to serve both HTTP and HTTPS traffic. Although HTTP is insecure, clients may look for your website over this protocol, e.g. a user typing in
http://yoursite.com into their browser. We’ll take steps to make sure these requests are upgraded to the secure version, but we don’t want to break browsing experiences by not serving HTTP at all.
Use Mozilla’s HTTPS configuration generator, which produces boilerplate for adding HTTPS to various web servers.
Transition embedded resources
Here's a picture from our 2006 trip to Joshua Tree! <img src="http://example.com/image.jpg">.
Change every embedded resource to load over
https. The secure version is always preferred, and the protocol relative URL is an anti-pattern.
Force users to connect over HTTPS
When all embedded resources are loading securely, you can force users to connect to the site over HTTPS.
HTTP Strict Transport Security (HSTS) is a mechanism to force users to connect to a site over HTTPS, and avoid security downgrade attacks. Read more about HSTS and how to implement it.
Verify latest server packages
The web server’s system kernel and openssl packages should be updated to the latest for performance optimizations.
Test your HTTPS
SSL Labs offers a free SSL report, which will grade your HTTPS implementation.