O/H AbbaComm.Net έγραψε: > Although I know the basics about getting and installing web and mail server > ssl certs, I haven't had to "purchase" and do it "myself" for some time. i > always had someone else dealing with it. > > I am wondering what you folks on the list are using on your centos web and > mail servers > Are you making your own or are you purchasing them from godaddy, thawte, > geotrust, verisign, others? > > What is the best and the least expensive implementation that most browsers > and other clients are happy with without phone calls to admins or the NOC or > other problems? The best for an internally controlled LAN would be a self-signed certificate for me. No need to pay for something you can manage on your own. I would only consider a paid certificate only on a huge cross-site installation where the actual cost of time, field technician visit or phonecall would balance the cost. Whenever you have to have a public service secured by SSL you "have to" go down the road of using signed certificates from a certification authority. Having the inexperienced user face a white page saying "non-trusted site" on IE7 is a dreaded thing that drives people away. There is also www.cacert.org for those who feel adventurus. For a client of mine who asked for SSL secured Webmail, POP3 and SMTP for about 100 PCs, I chose self-signed certificates. I would have to go through each and every PC anyway because I am switching them from sendmail/real accounts/God knows what else (eg open telnet access, hacked root account, possible open relay) to a qmail/vpopmail/SSL secured/requiring authentication scheme. Since the deployment PCs are all using M$ OSes and certificates can only be installed through IE, I made a "smart" move and used the same certificate for all three services. When I have to install a certificate on a PC, I just surf to the webmail site and accept/install the certificate from there. One move for all three services. However this is a single-purpose mail server, no other services requiring SSL encryption are installed. For multiple domains I would just setup multiple IP aliases, one for each domain and run the required services on those IPs using the same above trick. -- RTFM and STFW before anything bad happens _________________________________________ Thanos Rizoulis Electronic Computing Systems Engineer Larissa, Greece FreeBSD/PCBSD user