Often it is easier to have the cert on a subdomain, as then you can completely avoid the risk of the main domain being indexed both as http and https URLs. You'd simply completely block https on the main site.

so with that in mind are you saying that using a sub domain eliminates the possible issues incurred if someone uses absolute urls hard coded instead of HTTPS to HTTP Redirection?

help?

No, only that you'd have your main domain as non-SSL and the subdomain as SSL.

Really, this all boils down to how you define the SSL and non-SSL portions of your site -- By (sub)domain (for example, all SSL in "shop.example.com"), or by URL-path in the main domain (for example, all SSL in a "/shop" subdirectory). Having a 'clean' and clear way of looking at the requested URL and deciding whether the request should be SSL or non-SSL so you can redirect it if the request is 'wrong' in either case makes life a whole lot easier.

Jim

I got it, thanks Jim

Suppose I'll stick with store.site.com for now and look at redirecting only where necessary. Like if some types www.store.site.com I'll redirect to store.site.com because its the url that is protected.

[edited by: Bobby_Maxden at 3:08 am (utc) on Dec. 12, 2008]

OK, but think more in terms of redirecting whenever necessary, instead. It's a subtle difference, but a difference... Redirect if the domain is not *exactly* "store.site.com" or if it is accessed using http instead of https, or if there is anything non-canonical about the URL.

The purpose is two-fold: To be sure your certificate will validate, and to avoid duplicate-content problems. Any given unique 'page' on your site should be accessible by one and only one URL; Any change in the URL (or the appended query string) whatsoever --no matter how minor-- should results in either a 404-Not Found or 301-Moved Permanently response from your server.

Jim

Great info, thanks

yes, Ive already run into the validation issue where I applied my cert to HTTPS.www and if someone types HTTPS it doesn't validate.