-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, This question may be slightly OT for this list, but it does concern securing services on my FreeBSD servers :-) At the moment I have some existing (self-signed) SSL certs for Dovecot, Exim and Apache. It's mostly only me that uses them for now, but I'm planning on expanding that, so want to try and do things "right". My real question is, should I have a separate SSL certificate for each service, or can I just use one for all of them? Also, at the moment, the Dovecot cert is for "*.netinertia.co.uk", but it can be accessed as either mail.netinertia.co.uk, imap.netinertia.co.uk or pop.netinertia.co.uk. Is this right, or should I just pick one (probably mail) to be the "official" name? (Similarly, Exim has its certificate set to mail.netinertia.co.uk, but can be accessed as smtp.netinertia.co.uk.) I was thinking of just creating one wildcard certificate and using it for all the above services, but I don't know if this is actually the proper way of doing things! Cheers, James PS - Once I've worked out how exactly I'm supposed to be doing this, I'll probably get some "officially" signed certs. I hear CACert are a good, free way of doing this. Anyone got any comments on that? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) iQEVAwUBRGkGT/8Z3wLA10m9AQLt3wf/RBAvhZ/B+t0L4XFqf3Jds44esvdDAhVw Mvv1Qp9AfwnHImH/cAQpWAihcyK3dIs9KgOtpBsOxbBgPiJUX508Apn4e9IiCC/S xh/OjqpdjnqyMc3r4gBJbMwn0DUXqd+E9wiod53RCxCqysedMxY76SrnUu0pkl7J 56p6xav6BWHZGWnFTdEo5u+W0BJTNe1KKm/zXwZ8a23ujIzhMwpzAw/Odf09obdz /hfZ+C5e7OrGgFnDTbwLQkWSi4e3DGNnsWQ6aP2N4jvmze32wqIxo5UbHM3aeBPs LOVCz/bUkR6cgDKnBt3FqYzxxq54JK48EB5qvrRD7BZlRZDii28t5w==rUCj -----END PGP SIGNATURE-----
Hi James, I would advise against using wildcard certificates. There certainly are situations where this might be adequate but I'm in favor of a single server certificate for each service that uses a different (virtual) host. Thus, I have created several certificates for Apache SSL hosts plus certificates for mail serving, etc. One point might be: If someone manages to set up a host in the namespace of the wildcard certificate and presents the cert once the host is accessed, it looks like you have accredited that specific host since you probably signed that wildcard cert. Whether you use single certs for pop.netinertia.co.uk, imap.netinertia.co.uk etc. or one generic name for all services related to your mail -- that's a matter of taste, I guess. In any case, I wouldn't stick with wildcards.> PS - Once I've worked out how exactly I'm supposed to be doing this, > I'll probably get some "officially" signed certs. I hear CACert are a > good, free way of doing this. Anyone got any comments on that?The problem with self-signed certs is just that they usually aren't trustworthy, as you may have noticed. I'd say the same thing applies to certificates signed by a CA that does not do a "real" verification of the requesting person by which I mean that you probably don't need to go somewhere and show some official ID to prove that you are in fact you. The problem with fraud is mis-placed trust. And people (read: those who decide which CA certs to include in a product by default) tend to put stronger trust in something that requires money for someone to vouch for you. On the other hand, I haven't had any bad experience with the following approach: I created my own CA and have used it to sign my certs. I've instructed all of my users how to import and trust that CA cert and we're done. You only need to do this once to get any cert signed by that CA accepted from that point on. Clemens
On Mon, 2006-May-15 23:53:03 +0100, James O'Gorman wrote:>PS - Once I've worked out how exactly I'm supposed to be doing this, >I'll probably get some "officially" signed certs. I hear CACert are a >good, free way of doing this. Anyone got any comments on that?I've gone through the CAcert assurance process and it seems to work, though a lot depends on your access to other assurers. Note that the CAcert certificates are now part of ports/security/ca-roots though the issue of bootstrapping remains (how do you know that your roots file is genuine). -- Peter Jeremy -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20060516/9018b9cf/attachment.pgp