SSL for admin internal website

Question

We have an website which is used to administrate users. There is one payment section on this website which we use to make payments for our clients with their CC. I would like to secure this section by using HTTPS. So the goal is to make the connection secure.

What type of certificate should we use? Is https://www.openssl.org/ a good solution for this? Any other option? Do we need an dedicated IP for this domain?

Answer 1

Creating all of the certificates on your own will not instill confidence. If credit cards are involved, you should probably work with a well-known Certificate Authority in order to provide a trustworthy, signed certificate.

Otherwise, your customers will get warnings and errors telling them not to trust your service!

Most Certificate Authorities have tutorials on how to purchase their SSL products and use them to get a certificate for your site. Here is an example product from Symantec.

SSL (the 'S' in HTTPS) does not generally place any restrictions on how your IPs work. The SSL certificates are often issued to domains and/or hostnames. If the certificate is issued to "payments.mysite.com" it will theoretically work for any server that the DNS server resolves for "payments.mysite.com"

Answer 2

Self-signed SSL certificates are just as good/safe/secure as SSL certificates from trusted suppliers. But they have a down-side in that unless they are installed on the users machine the browser will give warnings, and/or not go to the page with the certificate without explicit approval from the user (Chrome does this).

So IF you are able to distribute the SSL to the users, or they are able to install it them selves, or they are willing to ignore warnings, then a self-signed certificate is a good choice. If these are not options you have then you need a trusted SSL certificate.

EDIT: If you need a dedicated IP is dependent on how you resolve the address to the site (dns?).