Web browser security warnings after installing SSL certificate

Some of the most popular web browsers have begun to show an "insecure" warning when visiting pages that are not accessed via HTTPS. The "insecure" warning may also be triggered during an HTTPS connection if any page elements are not accessed via HTTPS, such as images or external scripts.
 
After you have installed an SSL certificate for your domain there are still some things you may need to do to prevent any "insecure" warnings in your user's web browser. The most common issue we see is when someone installs an SSL certificate but does not properly direct site traffic to use it.
 
Installing an SSL certificate makes https available, but it does not force your visitors to use HTTPS. To force all incoming connections to use HTTPS you must add an entry to the system.webServer element of your web.config file (you'll have to create the file if you don't already have one) that uses the IIS URL rewrite module to redirect all non-HTTPS traffic to HTTPS:
 
 
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Redirect to https" stopProcessing="true">
                    <match url=".*" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" appendQueryString="false" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>
 
That should take care of forcing all incoming connections to HTTPS. For the sake of consistency you may also want to update your site navigation and internal links to use the HTTPS URL.
 
If you are still seeing insecure site warnings after implementing the URL rewrite, try:
 
  • Updating local image links (and references to images or scripts from outside of your domain) that use an HTTP absolute path URL to use the HTTPS URL.
  • If you're using a database-driven app like WordPress, you may have to update the HTTP URLs in the database. There are "find and replace" WordPress plugins that can help.