Navigation

    ML
    • Register
    • Login
    • Search
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups

    SSL Certificates

    IT Discussion
    10
    69
    12569
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • BRRABill
      BRRABill last edited by

      I've seen a lot of discussion here recently about SSL certificates.

      I will admit to being a little under educated in this arena.

      I currently use GoDaddy to get an SSL certificate for my internal mail server, mainly just so users don't get the warnings.

      Are there free certificates available that would accomplish this purpose? Or a better way of doing this?

      JaredBusch D 2 Replies Last reply Reply Quote 0
      • JaredBusch
        JaredBusch @BRRABill last edited by

        @BRRABill said in SSL Certificates:

        I've seen a lot of discussion here recently about SSL certificates.

        I will admit to being a little under educated in this arena.

        I currently use GoDaddy to get an SSL certificate for my internal mail server, mainly just so users don't get the warnings.

        Are there free certificates available that would accomplish this purpose? Or a better way of doing this?

        Not for Exchange, no. Exchange needs a cert with more than a single valid name on it.

        BRRABill 1 Reply Last reply Reply Quote 1
        • BRRABill
          BRRABill @JaredBusch last edited by

          @JaredBusch said in SSL Certificates:

          Not for Exchange, no. Exchange needs a cert with more than a single valid name on it.

          My current cert from GoDaddy only supports one valid name.

          So if I go to the IP address directly it does not work. But the FQDN does.

          I am thinking of more instances of things like my Palo Alto VPN I set up today, where it will take a CA cert instead of me using a self-signed one.

          Is there something free in that realm?

          Or even, what certificate services are you using? GoDaddy charges like $70.

          1 Reply Last reply Reply Quote 0
          • Dashrender
            Dashrender last edited by Dashrender

            what do you for onsite email? If it's exchange, do you have activesync or webmail? If you are using those things, it's typical that you'll have SANs in the cert for Exchange.

            You could probably use a Let's Encrypt SSL, but you have renew it like every 90 days.. so that $70 for a year make the time of dealing with renewing so frequently worth it.

            Also, you have a Palto Alto - the price for a SSL cert should be darn near meaningless. ;)

            BRRABill 3 Replies Last reply Reply Quote 0
            • BRRABill
              BRRABill @Dashrender last edited by BRRABill

              @Dashrender said

              what do you for onsite email?

              We use MDaemon, which just requires one certificate. Though like I said if you try the IP address it doesn't like it.

              Dashrender 1 Reply Last reply Reply Quote 0
              • BRRABill
                BRRABill @Dashrender last edited by

                @Dashrender said

                You could probably use a Let's Encrypt SSL, but you have renew it like every 90 days.. so that $70 for a year make the time of dealing with renewing so frequently worth it.

                From reading recent threads here, it just seemed like me paying for a cert was stupid, and that there were better options, even if not free.

                But perhaps I am already on the right path.

                1 Reply Last reply Reply Quote 0
                • Dashrender
                  Dashrender @BRRABill last edited by

                  @BRRABill said:

                  @Dashrender said

                  what do you for onsite email?

                  We use MDaemon, which just requires one certificate. Though like I said if you try the IP address it doesn't like it.

                  Sure, but the IP isn't listed in the cert, so the browser you're using to connect to the mail server doesn't see the IP in the cert.. so there's an error. I think there used to be a time when you could add an IP... but not sure that's allowed anymore.

                  BRRABill 1 Reply Last reply Reply Quote 1
                  • BRRABill
                    BRRABill @Dashrender last edited by

                    @Dashrender said

                    Sure, but the IP isn't listed in the cert, so the browser you're using to connect to the mail server doesn't see the IP in the cert.. so there's an error. I think there used to be a time when you could add an IP... but not sure that's allowed anymore.

                    So, you need two certs then?

                    Dashrender 1 Reply Last reply Reply Quote 0
                    • BRRABill
                      BRRABill @Dashrender last edited by

                      @Dashrender said

                      Also, you have a Palto Alto - the price for a SSL cert should be darn near meaningless. ;)

                      Don' t be a hater...

                      LOL.

                      1 Reply Last reply Reply Quote 0
                      • Dashrender
                        Dashrender last edited by

                        I'm using a GoDaddy cert for my Exchange server - my Multi-domain SAN (not SDN) cert is worth it.

                        When you can use the tools to automatically request, install, etc the SSL Then Let's Encrypt is worth it.. but when you have to deal with a lot of manual junk.. nah...

                        1 Reply Last reply Reply Quote 0
                        • Dashrender
                          Dashrender @BRRABill last edited by

                          @BRRABill said:

                          @Dashrender said

                          Sure, but the IP isn't listed in the cert, so the browser you're using to connect to the mail server doesn't see the IP in the cert.. so there's an error. I think there used to be a time when you could add an IP... but not sure that's allowed anymore.

                          So, you need two certs then?

                          Why would you need two?

                          BRRABill 1 Reply Last reply Reply Quote 0
                          • BRRABill
                            BRRABill @Dashrender last edited by

                            @Dashrender said

                            Why would you need two?

                            I've only ever followed the directions from MDaemon to generate a certificate for what I need, which is always in the format of

                            mail.domain.com

                            Are you saying I can add the straight IP as well? On the same one?

                            1 Reply Last reply Reply Quote 0
                            • Dashrender
                              Dashrender last edited by

                              according to this
                              https://support.globalsign.com/customer/portal/articles/1216536-securing-a-public-ip-address---ssl-certificates

                              you can have the IP be the common name. You can use SAN Secondary Address Names to a single cert (SAN certs cost more money, but one cert can have at least 5 additional names, maybe more, so you save money )

                              So if you wanted the IP to not give errors, then you could set the IP as the common name, and mail.domain.com in the SAN

                              Though I wonder, why do you need the IP itself to not give an error? Do you purposefully have users use the IP? If not, and it's only you using the IP, then why spend money, you know you can safely ignore the error.

                              1 Reply Last reply Reply Quote 0
                              • BRRABill
                                BRRABill last edited by

                                That might work for my other stuff, though.

                                If I can do DOMAIN.COM and then

                                vpn.domain.com
                                mail.domain.com
                                iDRAC.domain.com

                                to fill all my certificate needs

                                Dashrender travisdh1 2 Replies Last reply Reply Quote 0
                                • iroal
                                  iroal last edited by

                                  Startssl is free, It's easy to create and install.

                                  1 Reply Last reply Reply Quote 0
                                  • Dashrender
                                    Dashrender @BRRABill last edited by

                                    @BRRABill said in SSL Certificates:

                                    That might work for my other stuff, though.

                                    If I can do DOMAIN.COM and then

                                    vpn.domain.com
                                    mail.domain.com
                                    iDRAC.domain.com

                                    to fill all my certificate needs

                                    Why would you do domain.com? That's not a real service is it? it's generally better off being a redirector to a real service like www.domain.com.

                                    BRRABill 1 Reply Last reply Reply Quote 0
                                    • travisdh1
                                      travisdh1 @BRRABill last edited by

                                      @BRRABill Yeah. Last time we updated at work I paid a little extra for a wildcard cert. So *.domain.com, it's all valid for the one cert.

                                      For my personal server, I just run Let's Encrypt.

                                      Dashrender 1 Reply Last reply Reply Quote 0
                                      • Dashrender
                                        Dashrender @travisdh1 last edited by

                                        @travisdh1 said in SSL Certificates:

                                        @BRRABill Yeah. Last time we updated at work I paid a little extra for a wildcard cert. So *.domain.com, it's all valid for the one cert.

                                        For my personal server, I just run Let's Encrypt.

                                        How much is a little? The last time I looked (it's been many years) a wildcard cert was 5X the cost of a normal cert, maybe more.

                                        travisdh1 1 Reply Last reply Reply Quote 0
                                        • travisdh1
                                          travisdh1 @Dashrender last edited by

                                          @Dashrender said in SSL Certificates:

                                          @travisdh1 said in SSL Certificates:

                                          @BRRABill Yeah. Last time we updated at work I paid a little extra for a wildcard cert. So *.domain.com, it's all valid for the one cert.

                                          For my personal server, I just run Let's Encrypt.

                                          How much is a little? The last time I looked (it's been many years) a wildcard cert was 5X the cost of a normal cert, maybe more.

                                          You can pickup a Comodo cert for $94/year. Looks like today's pricing has majorly changed since the last time I bought a cert, single site certs for $9. Let's Encrypt is having a real nice effect on the market!

                                          BRRABill 1 Reply Last reply Reply Quote 0
                                          • BRRABill
                                            BRRABill @Dashrender last edited by

                                            @Dashrender said

                                            Why would you do domain.com? That's not a real service is it? it's generally better off being a redirector to a real service like www.domain.com.

                                            That was an example.

                                            Even after yesterday I still seem to be afraid to post real details online!

                                            vpn.brrabillisafraidoftheinternet.com
                                            mail.brrabillisafraidoftheinternet.com
                                            iDRAC.brrabillisafraidoftheinternet.com

                                            Dashrender 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post