This forum won't let me discuss our url so let's see if I can describe the problem more generally..

We hope you can help us by making a recommendation. We recently had a site redesigned and are looking for the best encryption cert to for our needs. We have tried Free/Rapid SSL but it does not cover the two possible domains that people could type in the browser address bar.

Currently if people type in the domain without the www, they will get our secure site. However, if they type in the domain with it, they get an ugly error message telling them that there the name on the security certificate is invalid or does not match the name of the site. The cert is issued to the name of the domain without www

However, if we change the name of issue to the domain with www, then when people type the domain without www into the address bar, they get the error message.

We want an SSL certificate to cover the secure site regardless of whether or not the customer types www, without displaying the warning dialog saying there is something wrong with the certificate.

What can you recommend? Do we need 2 certs or is there one cert that will cover this?

Just just mod_rewrite to redirect all your requests to the www page.

https://microsoft.com/

Just take a look there and you'll see even the giants don't do this sort of thing. ;)

I checked out your example. Thank you! It has helped us. However, we have another more pressing issue. Hopefully you have a simple solution.

Even though I have a cert installed, customers don't go to the https site. They still go to the old http site when they either click our link in Yahoo, use a link saved in favorites, or if they just type www and then our name. They'd literally have to type in https to get the secure site. We suggested a redirect from the http site to the https site. However, our designer has read that search engines don't like redirects of this type and if we try to redirect a customer from the yahoo link, for example, that it could hurt our ranking. We are currently at no. 1 and don't plan on losing our spot.

How do we, or more specifically our coder, get customers to the https site seamlessly and still keep the engines happy?

You've been a big help so far. Thanks.

kblue

"Just just mod_rewrite to redirect all your requests to the www page."

Actually, sorry. This won't work.
We are using a IIS server (ASP) and can't use Apache (Linux) commands.

This is easy in ASP, 1 Line of code will do it. You should consider
getting a new coder.... ;)

Response.Redirect "https://your_secure_url_here"

The page you wish to get indexed doesn't need to be in HTTPS.

This is no big deal that your customers surf on an insecure protocol as long as your login/billing/ and even maybe contact form are secure.

If you make all your site on https, you'll findout that it can be heavy on cpu ressource.

As it turns out, our coder will need some help with this...not familiar with certs but we are in the process of working it out now that I have more info on my own.

GrindKore, to tell you the truth, we're quite happy with our coder at the moment because he's been knowledgable regarding everything else, just not certs. I do some coding myself, but it is very limited. I'm just learning. However, I am able to do some basic legwork and get some answers.

You have all been very helpful. Thank you!

Well your coder should know how to redirect to HTTPS. It's nothing to do with whether or not he knows his SSL or not, it's just a redirect! Sack him and find someone decent :)

There is no need to have your visitors surf the whole site via SSL. Simply make sure that links to your order/payments forms use absolute links of the https:// variety so that these are accessed via SSL.

You could even code in a check on those pages that does a redirect to back to itself via https:// so that there is no way you can access those pages without being on the secure URL.

What our coder states, is that he needs to know how to be able to retain ASP session variables when transferring from HTTP to HTTPS. Apparently as it is now, when the database written for the shopping cart, transfers the total amounts of product, taxes, shipping, etc. into the secure payment pages, the variables are not transferring and the customer will end up with zeros everywhere. Anybody out there know how to do this? (Obviously this does not happen if the whole site is encrypted, but we don't want it that way. All we want is the payment pages and contact form encrypted. As mentioned abouve, our coder claims that ASP variables won't transfer between http and https when encrypting them.)
Anyone out there an ASP guru?

Can you not use cookies? Either that or save a cart details into a temporary table in your database and associate it with the users IP for that session.

I don't quite understand what the issue is though. Surely you will just POST or GET the variables into the page on HTTPS. Just submit those or use a Querystring to pass them through to the secure part.

However, you would normally have the actual Cart in the non-SSL area and then submit the total price through to your payment processing page where you would collect the sensitive details such as Customer info and CC numbers.

I gather there is some other issue with those options because we've discussed them in the past couple of days. Regardless, I am forwarding this information along to our coder and then unfortunately, I'm going to back out and leave him alone. Some of this is way over my head and unless I know more, I can't provide you with necessary details. I am sure he'll figure things out and we've already gotten further by reviewing these posts. It is now my understanding that he is working with another individual to come up with a solution. Thank you for your time and suggestions.

To GTX,

Our coder does know how to do redirects. That's not the issue. We have looked into redirects and according to a lot of research out there, this can affect search engine placement. We have been strongly advised against using redirects. We are already at number oen and don't wish to have this change. However, if you have some research out there that states a contrary opinion, please post and we'd be more than glad to have a look.

They don't need to view your site in SSL anyway, at least not the main page. Just have a link to the secure section in the site, e.g. https://secure.example.com or https://www.example.com/secure. Only the secure section needs SSL...I think you're making this a lot more complex than it really is. Your site's billing section isn't really important to your search engine ranking anyway, so redirecting to the SSL site isn't a problem. If you REALLY need to ensure that it's all in SSL, then just have IIS run HTTPS on port 80 as well. Then all browsing is secure. Seems pointless to me, but if that's how you wanna do things...

It's not how "we", specifically, want to do things. We're relying on the expertise of our coder who has now enlisted support from the hosting company to resolve this issue. We have been told by several individuals that encrypting the shopping carts to allow for a transfer of variables would require rewriting the entire database which has over 250 products....a monumental task. Yes, it was neglected due to the limitations of our coder but it's where we are now.

As we stated previously, we thank those who posted a response as they helped us a lot. However, we've done all we can at this point and the rest is in the hands of the experts.

If others choose to post to this discussion further, don't let us stop you! However, we have no further need to continue it at this juncture.

TBH, if your 'expert coder' can't do a simple thing like POST or GET the price etc through to the secure area then you may want to reconsider how 'expert' he really is. I honestly don't see the problem. All he needs to do is build up the Cart on the non-secure site and then pass the price etc through to the SSL page where any sensitive personal details will be collected with the security active. It's quite a simple process really.

I'm just mindful that these 'experts' could end up charging you a lot of money to overcome this 'difficult' problem.