I was recently buying a SSL certificate and remembered being on a website where some HTTPS pages had a WWW host in the url and other HTTPS pages didn't have the WWW prefix. I vaguely remember from when I last bought a SSL certificate, you would normally indicate the host name you are buying the SSL certificate for -- whether it be www.example.com, secure.example.com, members.example.com. And the SSL certificate would only be valid for that exact host.
There's also wildcard SSL certificates that cover all hosts. These certificates are a lot more expensive. Wildcard certs cover secure.example.com, www.example.com, anything.example.com. Interestingly, it appears SSL certificates do not necessarily cover cases where you have no host -- i.e. example.com. An example of this is the customer login page at the hosting company where I have this blog hosted. If you examine the certificate, it looks like it uses a wildcard certificate as the common name is *.webcontrolcenter.com. However, if you remove the WWW from the url, my browser (Firefox) warns of an invalid security certificate. What a sour deal ... you spend the extra money for a wildcard certificate and it doesn't even work when there's no host name! I'd suspect that may not be the case with all wildcard certificates ... it probably depends on who you buy the certificate from.
In my case, I didn't need a wildcard security certificate, but I was hoping I could cover both www.example.com and example.com. One option would be to buy two separate SSL certs, one for www.example.com and one for example.com. Fortunately a few SSL certificate sellers cover both WWW and no host in a single certificate as a standard feature. GoDaddy was one of the two places I found that offered this. I didn't search around that much though. GoDaddy's SSL certificate is dirt cheap at just $30. What a great deal considering how expensive SSL certs once were.
GoDaddy briefly explains this feature in this help topic. What I wasn't sure about was when creating the CSR that you submit to the SSL certificate seller, I wasn't sure if I should put www.example.com or example.com for the common name (CN) field in the CSR. The website I had previously seen where HTTPS worked with and without WWW was using a GoDaddy SSL cert and the common name on the cert was just example.com without the WWW. And then I ran across this post where the blogger discussed this feature of the GoDaddy SSL certificates, and towards the end of his post, he says,
Therefore, to summarize the solutions, I can say that you can use a wildcard certificate or issue two separate certificates that both cost money and may not be a good option for many cases. You can also look for a SSL certificate issuer that automatically includes the base domain name when you generate one for the domain name with "WWW."
This last part sounds like you would generate a SSL certificate with www.example.com as the common name -- not example.com. But, when I examined his SSL certificate, the common name doesn't have the WWW! Anyhow, I decided to include WWW in my common name field, sent the CSR to GoDaddy, received the certificate, installed it, and the good news is my site works both with and without the WWW. Looking at the certificate fields when examining these SSL certificates from GoDaddy, of the ones I've seen, they all have a field named "Certificate Subject Alt Name" where the field value is:
Not Critical
DNS Name: example.com
DNS Name: www.example.com
This may be the field that tells the browser the certificate is valid with or without the WWW. In summary, it appears you can probably put either www.example.com or example.com in the common name (CN) field of the CSR when purchasing the SSL certificate from GoDaddy. I included the WWW in my common name, and the certificate is valid with and without the WWW host.