SSL Certificate

  • 6

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191


File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

SSL Certificate

I have a mail-server running and I want to buy a SSL-Certificate as they are pretty cheap now. I use mail.domain.com as reverse-DNS, POP3 and SMTP clients use mail.domain.com (some use pop3.domain.com and smtp.domain.com) for sending and receiving e-mails. The SSL-Submission asks me for a domain - is it mail.domain.com or domain.com as I do not have a Wildcard-SSL? I just want to use it for Mail.

Or is it possible to use it for both by using domain.com? (Apache and Postfix/Courier on the same server and IP)

You need to force all clients to start using mail.domain.com, or get a wildcard SSL cert. Since this will be a new process, you can just deprecate pop3. & smtp. when you create instructions to switch to SSL for various clients. A non-wildcard cert will only work for the exact domain it's given for, no shortening or substitutions.

Might help to audit logs and send a message to people once a month after you implement it. Won't get everyone, but most people at least call someone over the third or fourth time they see a message to figure out what they're ignoring. :p

  • 3
Reply Report
      • 1
    • Sure, just make sure that the cert is set for both mail and website. (Every cert contains a list of uses it's valid for.) However, www.domain.com would cause web clients to see an error, because the SSL negotiation takes place way before apache redirect or any other way to remove the www, so you can't really 'force' domain.com without removing any links to subdomains out on the web.
    • +1, when the SSL Cert request form is asking for the domain, they mean Subject Name (or SN), it should be exactly what the clients will be typing in (mail.domain.com for example). You can use domain.com if DNS is properly setup to work that way. Some CAs will allow you to have a SAN (subject alternate name, a second SN basically) on the same cert; check with the CA you're buying from and make sure you fully understand what you're buying before getting it.
      • 1
    • Chris S I want to buy "Thawte SSL 123 Certificate 256 Bit - domain validated". Will Outlook/Thunderbird complain that this certificate is just domain-validated? | Any good CA you can suggest?

Well, you can share a cert between all different services as long as they run on different ports, so apache/postfix/courier could all be on the same hostname. If you use just domain.com for all services you should be fine. As for getting a non-expensive wildcard cert, check out startssl.com. If there are no notaries in your area, you can become one yourself somewhat painlessly and for the price of $25. After that you can make wildcard domains for your own domains for free.

  • 1
Reply Report
      • 1
    • +1 for startssl.com. Have been using their services for three years now and have had nothing but positive experiences. They charge very little, especially compared to others, and only for validation (once a year), not for certificates themselves. The FAQ is a good read. Also the StartSSL root CA certificate has been included in Mozilla software (Firefox, Thunderbird) and Debian/Ubuntu for quite some time now.
      • 1
    • Many use Outlook and complain about the complain about invalid certificate! By the way, does it matter to Outlook if the domain is Address or just Domain-Validated?

A possible alternative to a complete wildcard cert is a cert with a SAN http://en.wikipedia.org/wiki/Subject_Alternative_Name. When I renewed a web site cert this year I noticed they automatically included the domain.com name in addition to www.domain.com name (thanks EasyDNS).

Perhaps your SSL cert provider can give you a mail.domain.com cert that also includes domain.com? I would certainly ask.

  • 0
Reply Report

Trending Tags