[CentOS] business ssl certs for centos www and/or email servers
Thanos Rizoulis
apatewna at hol.gr
Wed May 30 18:16:14 UTC 2007
O/H AbbaComm.Net έγραψε:
> Although I know the basics about getting and installing web and mail server
> ssl certs, I haven't had to "purchase" and do it "myself" for some time. i
> always had someone else dealing with it.
>
> I am wondering what you folks on the list are using on your centos web and
> mail servers
> Are you making your own or are you purchasing them from godaddy, thawte,
> geotrust, verisign, others?
>
> What is the best and the least expensive implementation that most browsers
> and other clients are happy with without phone calls to admins or the NOC or
> other problems?
The best for an internally controlled LAN would be a self-signed
certificate for me. No need to pay for something you can manage on your
own. I would only consider a paid certificate only on a huge cross-site
installation where the actual cost of time, field technician visit or
phonecall would balance the cost.
Whenever you have to have a public service secured by SSL you "have to"
go down the road of using signed certificates from a certification
authority. Having the inexperienced user face a white page saying
"non-trusted site" on IE7 is a dreaded thing that drives people away.
There is also www.cacert.org for those who feel adventurus.
For a client of mine who asked for SSL secured Webmail, POP3 and SMTP
for about 100 PCs, I chose self-signed certificates. I would have to go
through each and every PC anyway because I am switching them from
sendmail/real accounts/God knows what else (eg open telnet access,
hacked root account, possible open relay) to a qmail/vpopmail/SSL
secured/requiring authentication scheme.
Since the deployment PCs are all using M$ OSes and certificates can only
be installed through IE, I made a "smart" move and used the same
certificate for all three services.
When I have to install a certificate on a PC, I just surf to the webmail
site and accept/install the certificate from there. One move for all
three services. However this is a single-purpose mail server, no other
services requiring SSL encryption are installed.
For multiple domains I would just setup multiple IP aliases, one for
each domain and run the required services on those IPs using the same
above trick.
--
RTFM and STFW before anything bad happens
_________________________________________
Thanos Rizoulis
Electronic Computing Systems Engineer
Larissa, Greece
FreeBSD/PCBSD user
More information about the CentOS
mailing list