Question : SSL for a hosted application

I need to set up SSL on a hosted application that runs on my dedicated server. My programs are used by numerous customers and custom branded for their application.

Typically I set up a custom domain for them that I host on my "shared" IP address, with a domain name such as www.companyname-training.com (not real). They are then redirected to my programs that are on another IP address on the same server. Since the customer's domain name does not point to the correct IP, I use the IP address in the urls for my programs such as http://99.88.77.66/training/salestraining.php (not my real IP).

I an new to SSL, although I have been coding for many years, and I am a competent PHP programmer, I have just never had the occasion to use SSL. So please excuse the idiot questions.

I understand that I cannot use an IP address for SSL. I am told that I must use a domain name. Is that correct?

My programs are database driven, and the IP address is a variable, so it wouldn't be too difficult to change the IP address to a generic domain name for the affected programs. Could I use a generic domain name for all clients?

Do I need to create separate directories for the programs that use SSL, or can they remain with the current file structure, mixed with my standard programs? If yes, how do I set up the correct directory? Also, do collateral materials, such as images and .swf files need to be duplicated in the SSL directories?

I am running a dedicated server with CentOS 5 64 bit, Apache, WHM/cPanel and I use PHP5 for most programming.

NOTE: I am looking for coding suggestions, not how to set up an SSL certificate.

I'd appreciate your guidance.

Answer : SSL for a hosted application

There are 3 options here.

1) use your server to generate a self signed SSL cert which is bound to your specific ip address and then run all your applications from this root IP address or make the applications appear that they run from it using relative links etc.

2) RECOMMENDED route:

setup a dedicated domain name such as yournameapplications.com and register this domain name with godaddy.com SSL certs. Godaddy are much cheaper for SSL certs than verisign or thawte. Run all your applications from this domain name using sub directories if necessary. This then chunks your applications up into their respective client directories, while maintaining SSL.

3) an alternative recommended route:

because of the really low cost of godaddy SSL certs (under $30 per year per domain), you could get your clients to register their own SSL cert for either their main domain or do a sub domain (apps.companyname-training.com) and run their secure application from there.

From a programming point of view, you could have the master php files (if they function the same for all clients) in a master directory. You then reference this master directory to the sub domain (apps.companyname-training.com) and check via code for which domain they are coming from to then apply the appropriate skin.

The benefits of 2 and 3 are that the SSL certs are signed by a world recognized certificate authority. Option 1 while free will throw up errors to each of your visitors saying that the cert is self signed and not authority signed. 30 bucks a year per domain isn't bad either when you look at the cost of most cert authorities.

Hope this helps.

P.S. I do not earn commissions from godaddy but wish I did for this purpose LOL. They are the best for the money and fulfill the need.