I’m working on an Javascript app that I am going make viewable in Facebook. Facebook requires I set up a special directory on my server which will serve the relevant PHP and Javascript code. Mine is called /canvas.
They also require that the connection be made using https. Okay, fine, so I’m looking at purchasing an SSL certificate.
I use the following code in my .htaccess file so that people don’t have to type in “WWW” in order to reach my domain:
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^(.*)$ http://%1/$1 [R=301,L]
So I assume that the URL I want to send Facebook to is https://mydomain.com/canvas.
But I’m a little confused, because it seems when buying an SSL certificate, I need to specify a subdomain.
Is there a way to specify it so that “mydomain.com” without the “www” is where the SSL certificate is applied to?
Or is that not desirable? Should I set aside a special subdomain for secure transactions? Something like https://secure.mydomain.com?
I’ve never worked with SSL certificates before, so please answer on a level a newbie can understand.
The most important point is that you need the certificate to match the host name requested by the user (even after redirection). To be able to serve both
www.example.comandexample.com, you’ll need a certificate that has both Subject Alternative Name (SAN) entries.You don’t have to specify a sub-domain, but it depends on what the CA has issued for you. Some will quite happily issue a certificate with the two SAN entries (with and without www), in some cases without additional fee.
If you want to serve everything over
https://example.com, it’s fine, but if your cert doesn’t have a SAN forwww.example.com, initial connections tohttps://www.example.com(before the redirection) will cause a certificate error on the client side. Hence, it’s useful to have both.