Set up SSL certificate in the shop

Article Version

5.5.0 or newer

Table of contents

SSL / TLS

generally, SSL / TLS stands for a network protocol to transfer data safely. TLS thereby is the follower of SSL. If you secure the connection to your shop with SSL /TLS, the transferred data is encrypted so that attacker have less chances to tap the data. You can decide on your own which technologies you use, but the browsers will notify you that e.g. the SHA-1 algorithm since 2017 is classified as not sure anymore. Basically it's recommended to use state-of-the-art technology like TLS 1.2 using the SHA-2 algorithm. Which certificate you use, is unimportant, as long as it's created technically correct and is installed correctly.

 

Activate SSL

Once the certificate was installed, you have to activate SSL in Shopware, how that works, you can see here.

 

 

Just open the shop settings in "Configuration > Basic settings > Shop settings > Shops" and choose the desired shop, which should get SSL activated. Activate the option SSL support to secure all frontend connections. If you encrypt security related places only, if may happen, that additional content like images were loaded unencrypted, some browsers classify this as mixed content, which may be a problem. So it makes sense to secure all connections to avoid this problem. 

 

Redirect all requests

On simples cases, you might just want to redirect all HTTP requests to the equivalent HTTPS route. In these cases, you can use the following generic rule:

 


RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

 

Example:

  • http://foo.example.com -> https://foo.example.com
  • http://bar.example.com -> https://bar.example.com

 

Redirect all subdomains


RewriteCond %{HTTPS} !=on
RewriteRule (.*) https://secure.example.com%{REQUEST_URI} [L,R=301] 

 

Example:

  • http://foo.example.com -> https://secure.example.com
  • http://bar.example.com -> https://secure.example.com

 

Source domain specific

Should your shop require a more specific approach, you can also use a per domain approach. The following example show how you can redirect all unsecure requests to http://unsercure-domain.com to https://secure-domain.com

 


 
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} (www\.)?unsecure-domain\.com [NC]
RewriteRule ^(.*)$ https://secure-domain\.com%{REQUEST_URI} [R=301,L]