Although I know the basics about getting and installing web and mail server ssl certs, I haven't had to "purchase" and do it "myself" for some time. i always had someone else dealing with it.
I am wondering what you folks on the list are using on your centos web and mail servers
:-)
Are you making your own or are you purchasing them from godaddy, thawte, geotrust, verisign, others?
What is the best and the least expensive implementation that most browsers and other clients are happy with without phone calls to admins or the NOC or other problems?
Thanks for your feedback in advance.
- rh
-- Abba Communications Spokane, WA www.abbacomm.net
O/H AbbaComm.Net έγραψε:
Although I know the basics about getting and installing web and mail server ssl certs, I haven't had to "purchase" and do it "myself" for some time. i always had someone else dealing with it.
I am wondering what you folks on the list are using on your centos web and mail servers Are you making your own or are you purchasing them from godaddy, thawte, geotrust, verisign, others?
What is the best and the least expensive implementation that most browsers and other clients are happy with without phone calls to admins or the NOC or other problems?
The best for an internally controlled LAN would be a self-signed certificate for me. No need to pay for something you can manage on your own. I would only consider a paid certificate only on a huge cross-site installation where the actual cost of time, field technician visit or phonecall would balance the cost.
Whenever you have to have a public service secured by SSL you "have to" go down the road of using signed certificates from a certification authority. Having the inexperienced user face a white page saying "non-trusted site" on IE7 is a dreaded thing that drives people away.
There is also www.cacert.org for those who feel adventurus.
For a client of mine who asked for SSL secured Webmail, POP3 and SMTP for about 100 PCs, I chose self-signed certificates. I would have to go through each and every PC anyway because I am switching them from sendmail/real accounts/God knows what else (eg open telnet access, hacked root account, possible open relay) to a qmail/vpopmail/SSL secured/requiring authentication scheme.
Since the deployment PCs are all using M$ OSes and certificates can only be installed through IE, I made a "smart" move and used the same certificate for all three services. When I have to install a certificate on a PC, I just surf to the webmail site and accept/install the certificate from there. One move for all three services. However this is a single-purpose mail server, no other services requiring SSL encryption are installed.
For multiple domains I would just setup multiple IP aliases, one for each domain and run the required services on those IPs using the same above trick.
Hi Rh,
On Tue, 29 May 2007 10:19:10 -0700 UTC (5/29/2007, 12:19 PM -0500 UTC my time), AbbaComm.Net wrote:
AN> Although I know the basics about getting and installing web and mail server AN> ssl certs, I haven't had to "purchase" and do it "myself" for some time. i AN> always had someone else dealing with it.
AN> I am wondering what you folks on the list are using on your centos web and AN> mail servers
For all my certs, web, mail (IMAPS/POPS/TLS), etc., I use the free Class 1 certs from
cert.startcom.org
Their top level CA is already installed and recognized in Firefox, Safari, Konqueror, etc, just about all except IE, and then it is just a hop away to their site for a quick install of the CA for IE browsers. http://cert.startcom.org/?app=109 I have had no complaints from users.
AN> Are you making your own or are you purchasing them from godaddy, thawte, AN> geotrust, verisign, others?
Why spend money needlessly?
Are you making your own or are you purchasing them from godaddy, thawte, geotrust, verisign, others?
For internal purposes I do my own cert, but if I need it for external services I buy it from several providers. You can find out a lot of good info at: http://www.whichssl.com/
What is the best and the least expensive implementation that most browsers and other clients are happy with without phone calls to admins or the NOC or other problems?
http://www.whichssl.com/comparisons/high.html
-
AbbaComm.Net -
Gary -
Jordi Espasa Clofent -
Thanos Rizoulis