SSL post in php

Question

I want to communicate between two websites (Site A and B) securely. So I thought of buy SSL certificate for both sites.

Problem is, I need to send a POST request to Site-A from Site-B.

Then Site-B should response with a secure-key.

If I use normal post request in php to send the POST, is it correct and secure? Or is there any special way to send request and response back when we use SSL.

Thanks in advance.

Later Edit

Actually I will have Site B as my Web Service Site and later there will be more third party sites (like A, C, D, E.....) connecting to Site B for requesting a secure-key for communications.

Later Edit 2

if Site A send POST request to Site B then how can implement the response part in Site B (Which will have the SSL). I will have to send some data (including secure-key) in the response.

Answer 1

If you want to secure the requests against MITM attacks, servers need to prove their identities to their clients. If the connection from the browser to site A is to be secure, site A must prove its identity to the browser; and if the connection between site A and site B is to be secure, site B must prove its identity to the PHP script running in site A. (Both are rather independent.)

Proving the identity in an HTTPS connection is the role of the certificate.

If you want to secure the communication between the browser and site A, unless you have a rather limited number of users to whom you would be able to give your certificate manually, getting a certificate from a well-known CA for site A (the one directly used by the user) would be required.

If there are only a limited number of clients connecting to site B (e.g. only site A), and if you control all these parties, you could create your own CA (or use a self-signed certificate) on site B and import it explicitly as a trusted certificate in your PHP code running on site A (if you make your connection using Curl in PHP, you can set it with CURLOPT_CAINFO).

If you want site B to be used by third parties to whom it would be difficult to give your certificate manually, you would also need to get a certificate from a well-known CA. (It's also likely to be more convenient.)

What you may need to consider is authenticating site A when it connects to site B, because it's not just about preventing eavesdropping and MITM attacks, but making sure that site B gives the information to the right party. You could do this with a range of authentication/authorisation techniques on site B. This could use a client certificate from site A, but I'd suggest not using site A's certificate (but another client certificate you would make for this purpose, perhaps with your own CA), because the PHP script would need to have read access to it and its private key (it's generally better to prevent that in case the script is compromised). Other authentication techniques might be more sensible depending on the context.

Answer 2

You do not require a SSL certificate for your site A.

Site B alone can have a SSL certificate for secure communication. For POSTing to, and receiving data from, a secure channel is used for communication (note how communication means both request and response!).

The same secure Site B can be requested by any number of Sites.

If you have Site B POSTing stuff to other sites, then it is a different case: the other site should have SSL too!

Answer 3

Posting from A to B with a url like this https://site_b.com is secure for the communication part.

However, security is much more, then only communication.

note: instead of buying a certificate, and only for communication from B to A you could consider the SFTP protocol.