O/H AbbaComm.Net έγραψε:
Although I know the basics about getting and installing web and mail server
ssl certs, I haven't had to "purchase" and do it "myself" for some time. i
always had someone else dealing with it.
I am wondering what you folks on the list are using on your centos web and
mail servers
Are you making your own or are you purchasing them from godaddy, thawte,
geotrust, verisign, others?
What is the best and the least expensive implementation that most browsers
and other clients are happy with without phone calls to admins or the NOC or
other problems?
The best for an internally controlled LAN would be a self-signed
certificate for me. No need to pay for something you can manage on your
own. I would only consider a paid certificate only on a huge cross-site
installation where the actual cost of time, field technician visit or
phonecall would balance the cost.
Whenever you have to have a public service secured by SSL you "have to"
go down the road of using signed certificates from a certification
authority. Having the inexperienced user face a white page saying
"non-trusted site" on IE7 is a dreaded thing that drives people away.
There is also www.cacert.org for those who feel adventurus.
For a client of mine who asked for SSL secured Webmail, POP3 and SMTP
for about 100 PCs, I chose self-signed certificates. I would have to go
through each and every PC anyway because I am switching them from
sendmail/real accounts/God knows what else (eg open telnet access,
hacked root account, possible open relay) to a qmail/vpopmail/SSL
secured/requiring authentication scheme.
Since the deployment PCs are all using M$ OSes and certificates can only
be installed through IE, I made a "smart" move and used the same
certificate for all three services.
When I have to install a certificate on a PC, I just surf to the webmail
site and accept/install the certificate from there. One move for all
three services. However this is a single-purpose mail server, no other
services requiring SSL encryption are installed.
For multiple domains I would just setup multiple IP aliases, one for
each domain and run the required services on those IPs using the same
above trick.
--
RTFM and STFW before anything bad happens
_________________________________________
Thanos Rizoulis
Electronic Computing Systems Engineer
Larissa, Greece
FreeBSD/PCBSD user
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
