O/H AbbaComm.Net έγραψε:
Although I know the basics about getting and installing web and mail server ssl certs, I haven't had to "purchase" and do it "myself" for some time. i always had someone else dealing with it.
I am wondering what you folks on the list are using on your centos web and mail servers Are you making your own or are you purchasing them from godaddy, thawte, geotrust, verisign, others?
What is the best and the least expensive implementation that most browsers and other clients are happy with without phone calls to admins or the NOC or other problems?
The best for an internally controlled LAN would be a self-signed certificate for me. No need to pay for something you can manage on your own. I would only consider a paid certificate only on a huge cross-site installation where the actual cost of time, field technician visit or phonecall would balance the cost.
Whenever you have to have a public service secured by SSL you "have to" go down the road of using signed certificates from a certification authority. Having the inexperienced user face a white page saying "non-trusted site" on IE7 is a dreaded thing that drives people away.
There is also www.cacert.org for those who feel adventurus.
For a client of mine who asked for SSL secured Webmail, POP3 and SMTP for about 100 PCs, I chose self-signed certificates. I would have to go through each and every PC anyway because I am switching them from sendmail/real accounts/God knows what else (eg open telnet access, hacked root account, possible open relay) to a qmail/vpopmail/SSL secured/requiring authentication scheme.
Since the deployment PCs are all using M$ OSes and certificates can only be installed through IE, I made a "smart" move and used the same certificate for all three services. When I have to install a certificate on a PC, I just surf to the webmail site and accept/install the certificate from there. One move for all three services. However this is a single-purpose mail server, no other services requiring SSL encryption are installed.
For multiple domains I would just setup multiple IP aliases, one for each domain and run the required services on those IPs using the same above trick.