Slightly OT: SSL certs - best practice?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

This question may be slightly OT for this list, but it does concern
securing services on my FreeBSD servers :-)

At the moment I have some existing (self-signed) SSL certs for Dovecot,
Exim and Apache. It's mostly only me that uses them for now, but I'm
planning on expanding that, so want to try and do things "right".

My real question is, should I have a separate SSL certificate for each
service, or can I just use one for all of them? Also, at the moment, the
Dovecot cert is for "*.netinertia.co.uk", but it can be accessed as
either mail.netinertia.co.uk, imap.netinertia.co.uk or
pop.netinertia.co.uk. Is this right, or should I just pick one (probably
mail) to be the "official" name? (Similarly, Exim has its certificate
set to mail.netinertia.co.uk, but can be accessed as smtp.netinertia.co.uk.)

I was thinking of just creating one wildcard certificate and using it
for all the above services, but I don't know if this is actually the
proper way of doing things!

Cheers,

James

PS - Once I've worked out how exactly I'm supposed to be doing this,
I'll probably get some "officially" signed certs. I hear CACert are a
good, free way of doing this. Anyone got any comments on that?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)

iQEVAwUBRGkGT/8Z3wLA10m9AQLt3wf/RBAvhZ/B+t0L4XFqf3Jds44esvdDAhVw
Mvv1Qp9AfwnHImH/cAQpWAihcyK3dIs9KgOtpBsOxbBgPiJUX508Apn4e9IiCC/S
xh/OjqpdjnqyMc3r4gBJbMwn0DUXqd+E9wiod53RCxCqysedMxY76SrnUu0pkl7J
56p6xav6BWHZGWnFTdEo5u+W0BJTNe1KKm/zXwZ8a23ujIzhMwpzAw/Odf09obdz
/hfZ+C5e7OrGgFnDTbwLQkWSi4e3DGNnsWQ6aP2N4jvmze32wqIxo5UbHM3aeBPs
LOVCz/bUkR6cgDKnBt3FqYzxxq54JK48EB5qvrRD7BZlRZDii28t5w==
=rUCj
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: ADFS and Certificate Services
    ... ADFS even allows you to do client certificate ... Joe Kaplan-MS MVP Directory Services Programming ... We just want to be able to give out certs to our own ... sub-CA on the internet for employees to access remotely to get certs. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADFS Proxy Cert issue
    ... know the command line for requesting a proper client certificate though. ... you would start getting these certs from the CA that you will ... FSP setup better. ...
    (microsoft.public.windows.server.active_directory)
  • Re: X509 Cert Services Cert
    ... oddest thing is that my Versign certs seem to work fine (with certificate ... for some reason cert service certs don't work for me. ... Ensure that the web service will have access to its private key in the ... > pressing Add, typing ASPNET, and then pressing OK. ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: ADFS and Certificate Services
    ... sub-CA on the internet for employees to access remotely to get certs. ... Essentially, to become a certificates "reseller", you need a CA certificate ...
    (microsoft.public.windows.server.active_directory)
  • Re: HP Procurve 2626 - port-based access IAS EAP-LTS doesnt work
    ... It depends on how you deploy EAP-TLS -- are you using computer certs ... The first thing is to make sure the client and user certificates are ... To configure the certs, you must open Certificate ...
    (microsoft.public.internet.radius)