[CentOS] business ssl certs for centos www and/or email servers

Wed May 30 18:16:14 UTC 2007
Thanos Rizoulis <apatewna at hol.gr>

O/H AbbaComm.Net έγραψε:
> Although I know the basics about getting and installing web and mail server
> ssl certs, I haven't had to "purchase" and do it "myself" for some time. i
> always had someone else dealing with it.
> 
> I am wondering what you folks on the list are using on your centos web and
> mail servers
> Are you making your own or are you purchasing them from godaddy, thawte,
> geotrust, verisign, others?
> 
> What is the best and the least expensive implementation that most browsers
> and other clients are happy with without phone calls to admins or the NOC or
> other problems?

The best for an internally controlled LAN would be a self-signed 
certificate for me. No need to pay for something you can manage on your 
own. I would only consider a paid certificate only on a huge cross-site 
installation where the actual cost of time, field technician visit or 
phonecall would balance the cost.

Whenever you have to have a public service secured by SSL you "have to" 
go down the road of using signed certificates from a certification 
authority. Having the inexperienced user face a white page saying 
"non-trusted site" on IE7 is a dreaded thing that drives people away.

There is also www.cacert.org for those who feel adventurus.

For a client of mine who asked for SSL secured Webmail, POP3 and SMTP 
for about 100 PCs, I chose self-signed certificates. I would have to go 
through each and every PC anyway because I am switching them from 
sendmail/real accounts/God knows what else (eg open telnet access, 
hacked root account, possible open relay) to a qmail/vpopmail/SSL 
secured/requiring authentication scheme.

Since the deployment PCs are all using M$ OSes and certificates can only 
be installed through IE, I made a "smart" move and used the same 
certificate for all three services.
When I have to install a certificate on a PC, I just surf to the webmail 
site and accept/install the certificate from there. One move for all 
three services. However this is a single-purpose mail server, no other 
services requiring SSL encryption are installed.

For multiple domains I would just setup multiple IP aliases, one for 
each domain and run the required services on those IPs using the same 
above trick.

-- 
RTFM and STFW before anything bad happens
_________________________________________
Thanos Rizoulis
Electronic Computing Systems Engineer
Larissa, Greece
FreeBSD/PCBSD user