Did your client pay for their own individual cert with their site name on it? You generally need a static IP for that.
It sounds like they are using the shared IP and shared cert, so the call url for that would be something along the lines of [secure.servername.net...] - insert your own info. To use the shared IP/cert you need to ask your host what the URL for the secure pages will be. It will NOT be [your...] site.com. As stated before, you would need a static IP and to purchase/install a separate cert for it to run under your own site name.

Yes, he purchased his own cert. His hosting company said he needed to purchase it for what we want to do, but didn't bother mentioning that he would also need a static IP to use an individual cert.

We should be able to use the shared IP/cert to get the job done. The URL doesn't HAVE to be the site URL since this is only for one page. So basically I should call the hosting company and ask about their shared cert and what URL to use for the shared cert? It sounds like all I need is the URL for the shared cert.

Yes, but you say he paid for his OWN cert. A shared cert is purchased by an ISP and installed on the company's servers. It will identify the SSL area as the ISP/company, not the domain. A domain's cert applies to a domain.

Some people say you don't need a static IP if the host company has a shared SSL certificate you can use.

But that shared cert WILL have an IP address bound to it, it just won't be dedicated to your client's domain.

The whole idea of a cert is 1) positive identification of the company to the end user (they are who they say they are) and 2) encryption of the data coming in and out over HTTPS. So using a shared cert identifies the SSL area as "ISP of the domain holder" as opposed to "Domain Holder" for a properly installed SSL cert.

Here's a further complication of a shared cert.

Generally you have FTP access to a domain for uploading files, right? It's likely the physical directory for the area protected by the shared certificate will have a separate login, maybe even on a physically different machine. So now you'll have two places to update files, one for the domain owner, and one for the SSL area that is designated as your "secure area." If you have any programs that say, update a database on your site, this can really complicate things, especially if your ip address is dynamic. For example, if your mysql host is "localhost," you'll have some challenges accessing the database from your secure area. Easily worked through, but one more thing to tackle.

So yes, the client should have a dedicated IP for the cert, and the cert is bound to that IP, something stinks of "corporate shenanigans" here.

Oh and welcome aboard tjay35!

something stinks of "corporate shenanigans" here

Agreed.

If you are going to use the shared cert, then all you need is the shared secure URL. Of course you will have to work through the issues rocknbil brought up; this is usually easily done especially if your host has a well set up server.

BUT, if the client bought and paid for an individual cert, then they will need a static IP. I will say that for an ecommerce store, in my opinion, it is an excellent idea security wise and much more professional to have your own dedicated IP and own cert, so that you can run the SSL under your own domain name.

If you decide to go the shared route, be sure to get your money back for the cert you bought!

Come to find out my client went ahead and obtained a static IP along with the cert. And from what everyone wrote, it sounds like the static IP is the way to go, so I'm glad they did it.

After talking with the hosting company again this morning, it sounds like I'm just waiting for them to finish setting everything up and I should be all set (hopefully). I agree with the "corporate shenanigans" comment...this company doesn't seem to be all there (at least their support department), but what the client wants, the client gets (and they wanted to use this company).

Thanks for the help and I appreciate the "welcome" rocknbil.

Welcome to WebmasterWorld tjay35.

>> corporate shenanigans

I don't agree with this statement. What I think happened has more to do with an expectation that on the part of the hosting company that those who buy their services are familiar with hosting and the nuances between shared IPs & SSLs versus dedicated. The lack of knowledge on tjay35's part meant they had to learn about this by trial and error. I think the responsibility for understanding and relating what needs to be done should lay with tjay35 since they are acting on behalf of a client. Granted they are learning but it's not entirely the hosting company's fault if the person requesting service does not know what to ask for. It sounds more like a combination of misunderstanding and lack of experience than something intentional.

When I talked with the hosting company, they didn't mention anything about needing a static IP address and went ahead and set up a certificate for my client.

Well, it certainly sounded like it at this point, selling the cert and not mentioning it required a static IP, or that this was part of the package. I've seen ISP's sell customers things they don't need many times.

They cleared it up though, so it's all good.

Forgive me for automatically thinking the worst of a web host. To be frank, several large hosts specifically market to the web illiterate - "Build a professional website in minutes, with out any web hosting experience!" - these people are at the mercy of the company and the information it provides (which is usually along the lines of 'anyone can build a web store, no knowledge needed') leading to situations like: maybe i'll ask my sister-in-law to do it, she's looked bored lately. Buyer beware, yes - but at the same time, any company that deliberately oversells or sneaks in hidden costs to people it knows to be vulnerable is acting unethically - and I've seen it many times from several different hosts. I know it's human nature, and we're all here to make a profit - but still. Sometimes it's easier to buy a car than a webhosting plan these days.

In this case, the host is NOT at fault - they did get the IP address with the cert, whether tjay35 realized it at first or not. With all of the information presented, it appears that the host did, in fact, act honestly. There are lots of great hosts out there too - I love mine!

Whether tjay should be charging someone to set up a website when he does not know the basics of hosting is a different debate. I don't know what his relationship to the client is - he could be a graphic designer or marketing guy who got a website dumped on him by a client, and agreed to do it, because hey, it looks so quick and easy, right? I don't know.

And now I'm totally off topic...and just an opinionated lurker anyway. Don't mind me. :)