CentOS - May 2007 - business ssl certs for centos www and/or email servers

Although I know the basics about getting and installing web and mail server
ssl certs, I haven't had to "purchase" and do it
"myself" for some time. i
always had someone else dealing with it.

I am wondering what you folks on the list are using on your centos web and
mail servers

:-)

Are you making your own or are you purchasing them from godaddy, thawte,
geotrust, verisign, others?

What is the best and the least expensive implementation that most browsers
and other clients are happy with without phone calls to admins or the NOC or
other problems?

Thanks for your feedback in advance.

 - rh

--
Abba Communications
Spokane, WA
www.abbacomm.net

O/H AbbaComm.Net ??????:
> Although I know the basics about getting and installing web and mail server
> ssl certs, I haven't had to "purchase" and do it
"myself" for some time. i
> always had someone else dealing with it.
> 
> I am wondering what you folks on the list are using on your centos web and
> mail servers
> Are you making your own or are you purchasing them from godaddy, thawte,
> geotrust, verisign, others?
> 
> What is the best and the least expensive implementation that most browsers
> and other clients are happy with without phone calls to admins or the NOC
or
> other problems?
The best for an internally controlled LAN would be a self-signed 
certificate for me. No need to pay for something you can manage on your 
own. I would only consider a paid certificate only on a huge cross-site 
installation where the actual cost of time, field technician visit or 
phonecall would balance the cost.

Whenever you have to have a public service secured by SSL you "have
to"
go down the road of using signed certificates from a certification 
authority. Having the inexperienced user face a white page saying 
"non-trusted site" on IE7 is a dreaded thing that drives people away.

There is also www.cacert.org for those who feel adventurus.

For a client of mine who asked for SSL secured Webmail, POP3 and SMTP 
for about 100 PCs, I chose self-signed certificates. I would have to go 
through each and every PC anyway because I am switching them from 
sendmail/real accounts/God knows what else (eg open telnet access, 
hacked root account, possible open relay) to a qmail/vpopmail/SSL 
secured/requiring authentication scheme.

Since the deployment PCs are all using M$ OSes and certificates can only 
be installed through IE, I made a "smart" move and used the same 
certificate for all three services.
When I have to install a certificate on a PC, I just surf to the webmail 
site and accept/install the certificate from there. One move for all 
three services. However this is a single-purpose mail server, no other 
services requiring SSL encryption are installed.

For multiple domains I would just setup multiple IP aliases, one for 
each domain and run the required services on those IPs using the same 
above trick.

-- 
RTFM and STFW before anything bad happens
_________________________________________
Thanos Rizoulis
Electronic Computing Systems Engineer
Larissa, Greece
FreeBSD/PCBSD user

Hi Rh,

On  Tue, 29 May 2007 10:19:10 -0700 UTC (5/29/2007, 12:19 PM -0500 UTC my
time), AbbaComm.Net wrote:

AN> Although I know the basics about getting and installing web and mail
server
AN> ssl certs, I haven't had to "purchase" and do it
"myself" for some time. i
AN> always had someone else dealing with it.

AN> I am wondering what you folks on the list are using on your centos web
and
AN> mail servers

For all my certs, web, mail (IMAPS/POPS/TLS), etc., I use the free Class 1
certs from

cert.startcom.org

Their top level CA is already installed and recognized in Firefox, Safari,
Konqueror, etc, just about all except IE, and then it is just a hop away to
their site for a quick install of the CA for IE browsers.
<http://cert.startcom.org/?app=109> I have had no complaints from users.

AN> Are you making your own or are you purchasing them from godaddy, thawte,
AN> geotrust, verisign, others?

Why spend money needlessly?

-- 
Gary

> Are you making your own or are you purchasing them from godaddy, thawte,
> geotrust, verisign, others?
For internal purposes I do my own cert, but if I need it for external 
services I buy it from several providers. You can find out a lot of good 
info at:
http://www.whichssl.com/
> What is the best and the least expensive implementation that most browsers
> and other clients are happy with without phone calls to admins or the NOC
or
> other problems?
http://www.whichssl.com/comparisons/high.html

-- 
Thanks,
Jordi Espasa Clofent