NameCheap has been offering free SSL Certs when registering a domain with them, though you have to use it on a domain that you registered with them last I recall. That aside, they also offer stand-alone certificates from $9.95/yr.
Another question: do you have to get the cert for the domain (mydomain.com), subdomain (store.mydomain.com), or specific url of the whmcs shopping cart (https://store.mydomain.com/cart.php) ?
You'll want the cert for the specific hostname WHMCS is served off of (store.mydomain.com in your example). You could get a wildcard or multi-host cert to allow users to go to https://mydomain.com/ as well, but that will cost extra... I'd just do a 301 redirect on any of the plaintext sites they might end up at to push them in the direction of your https store.
I don't know anything about authorize.net, but I do know that to integrate Google checkout you must have an acceptable SSL cert (ie, not self-signed, and not cacert.org signed) or their API won't notify your WHMCS that a user has paid.
Thanks for this info. Yes, I came across that info about Google Checkout requiring an ssl cert but couldn't locate anything about Authorize.net. Logically it would seem to need it also though to pass the info secured and at that price mentioned above it won't do too much damage to my piggy bank either..
The SSL Cert. that is $9.95 is a basic certificate and should do just fine if you're just starting out. It would be applied to the sub-domain of the WHMCS installation, as noted above. You don't need to include the PHP file in the certificate URL, just the sub-domain itself.
These certificates do not require paperwork and are instantly issued once you complete the form and installation. If you begin to look at others, make note as to whether they require additional paperwork to verify your business information as quite a few of them do.
Would you mind giving some more detail on this part?
Sure. Say you buy a cert for whmcs.yourdomain.com... I would personally make the plaintext vhost for that site redirect the user to the HTTPS version - you could have this respond to several different subdomains and have them all redirect to the same place so no matter where the user starts out the server pushes them in the right direction.
You might also consider having https clients connecting to the wrong hostname redirected, but by that point the user is either scared by the certificate mismatch popup, or they're not - redirecting them won't help.
You can do a 301 redirect with mod_rewrite for example by using [R=301] in the flags, the reason you'd pick 301 redirect is because search engines pick up the "found" response and update their indexes, so you won't get penalized for having duplicate copies of content laying around... the robots collate them all into one url for indexing purposes.
The basic idea being if someone types in store.yourdomain.com they get gently redirected to https://whmcs.yourdomain.com/, same as if they type support.yourdomain.com or any such hostnames, and optionally you can also redirect http://whmcs.yourdomain.com/ to the https version as well.