[CentOS] Certificates
Pete Biggs
pete at biggs.org.uk
Sat Sep 1 10:51:48 UTC 2018
>
> And for other services like IMAP, SMTP, LDAP (maybe not LDAP) constant
> changing certs even with a long lived root may get old for your customers.
Why? I have corporate systems on 2 year commercial CA signed
certificates and personal servers on 90 day LetsEncrypt ones - my users
of IMAP and SMTP have never ever noticed when I changed the
certificates on any device. They certificates all have trusted CAs so
the clients trust them without any interaction. Even I don't notice
when certbot renews my certificates.
>
> Unfortunately, there has never been an effective business model for
> small customers.
The problem is one of trust - in the past even significant CAs have had
their signing keys leaked, so it's difficult for the root CAs to trust
a company who deals with SMEs with cut price signing (the
infrastructure has a significant cost, so they must be cutting corners
somewhere!).
That was until LetsEncrypt comes along - it has the backing of some big
names and *IS* an effective business model for small and private
customers.
P.
More information about the CentOS
mailing list