I have been reading and reading and reading to make sure that when I buy my SSL and set it up that I do it right.
So here we go:
I have a website xxx.domain.com that is not secure at the moment. There has been no need to secure it at the moment because I have been accepting payment exclusively through paypal. Now however I have a merchant account and will be accepting credit card payments on the site. The two things that confuse me are the following:
1) Should I setup the ssl for secure.domain.com or xxx.domain.com?
2) Are there benefits and draw backs to either?
3) I don't want the whole site secure as I am sure this will slow the site down.
I assume I can just redirect the shopping cart to secure.domain.com/purchase.php when they are ready to enter the credit card info. Correct?
4) Also if I wanted to add an admin section to my site I assume I can just put the admin pages under secure.domain.com/admin/admin1.php. Correct?
5) Can secure.domain.com simply be a subdomain of xxx.domain.com in cpanel or does it have to be setup in WHM as a separate domain? Do I have to buy/register the domain secure.domain.com like I did with xxx.domain.com?
The only thing I can see that is a bit iffy is point number 5. You shouldn't need to buy a subdomain of the domain you already own (unless you're on some crazy host). Creating the subdomain in cpanel should work fine. You will specify these options when creating the SSL certificate.
As for point #2, the drawback to either is that the SSL certificate won't work properly outside of either subdomain. The user's browser will complain about the SSL certificate being in the wrong place, so whatever you do you will have to keep all SSL related stuff within that subdomain.
Everything else you said is entirely correct as far as I can see
So if xxx.domain.com is the unsecured part of my website will creating a SSL certificate for xxx.domain.com make all the pages on that domain secure?
Is it recomended or best practice to use secure.doamin.com instead of your full domain?
When I do create the SSL certificate for secure.domain.com will all pages automatically be secured and encrypted in that subdomain or can I tell the server which pages to secure and which pages to leave unsecure when in that subdomain?
The pages are only secure if accessed through https:// instead of http:// . You will have to specify which pages you want to be secured in your html/php/whatever code. They will not automatically be secured.
As for which subdomain to use, that's entirely up to you. I personally recently installed a certificate for www.example.com because this way I can secure multiple scripts in multiple directories by supplying the full URL. Just doing secure.domain.com will limit you to putting anything you want secured under that subdomain.