SSL Certificates
-
@BRRABill said in SSL Certificates:
I've seen a lot of discussion here recently about SSL certificates.
I will admit to being a little under educated in this arena.
I currently use GoDaddy to get an SSL certificate for my internal mail server, mainly just so users don't get the warnings.
Are there free certificates available that would accomplish this purpose? Or a better way of doing this?
Not for Exchange, no. Exchange needs a cert with more than a single valid name on it.
-
@JaredBusch said in SSL Certificates:
Not for Exchange, no. Exchange needs a cert with more than a single valid name on it.
My current cert from GoDaddy only supports one valid name.
So if I go to the IP address directly it does not work. But the FQDN does.
I am thinking of more instances of things like my Palo Alto VPN I set up today, where it will take a CA cert instead of me using a self-signed one.
Is there something free in that realm?
Or even, what certificate services are you using? GoDaddy charges like $70.
-
what do you for onsite email? If it's exchange, do you have activesync or webmail? If you are using those things, it's typical that you'll have SANs in the cert for Exchange.
You could probably use a Let's Encrypt SSL, but you have renew it like every 90 days.. so that $70 for a year make the time of dealing with renewing so frequently worth it.
Also, you have a Palto Alto - the price for a SSL cert should be darn near meaningless.
-
@Dashrender said
what do you for onsite email?
We use MDaemon, which just requires one certificate. Though like I said if you try the IP address it doesn't like it.
-
@Dashrender said
You could probably use a Let's Encrypt SSL, but you have renew it like every 90 days.. so that $70 for a year make the time of dealing with renewing so frequently worth it.
From reading recent threads here, it just seemed like me paying for a cert was stupid, and that there were better options, even if not free.
But perhaps I am already on the right path.
-
@BRRABill said:
@Dashrender said
what do you for onsite email?
We use MDaemon, which just requires one certificate. Though like I said if you try the IP address it doesn't like it.
Sure, but the IP isn't listed in the cert, so the browser you're using to connect to the mail server doesn't see the IP in the cert.. so there's an error. I think there used to be a time when you could add an IP... but not sure that's allowed anymore.
-
@Dashrender said
Sure, but the IP isn't listed in the cert, so the browser you're using to connect to the mail server doesn't see the IP in the cert.. so there's an error. I think there used to be a time when you could add an IP... but not sure that's allowed anymore.
So, you need two certs then?
-
@Dashrender said
Also, you have a Palto Alto - the price for a SSL cert should be darn near meaningless.
Don' t be a hater...
LOL.
-
I'm using a GoDaddy cert for my Exchange server - my Multi-domain SAN (not SDN) cert is worth it.
When you can use the tools to automatically request, install, etc the SSL Then Let's Encrypt is worth it.. but when you have to deal with a lot of manual junk.. nah...
-
@BRRABill said:
@Dashrender said
Sure, but the IP isn't listed in the cert, so the browser you're using to connect to the mail server doesn't see the IP in the cert.. so there's an error. I think there used to be a time when you could add an IP... but not sure that's allowed anymore.
So, you need two certs then?
Why would you need two?
-
@Dashrender said
Why would you need two?
I've only ever followed the directions from MDaemon to generate a certificate for what I need, which is always in the format of
Are you saying I can add the straight IP as well? On the same one?
-
according to this
https://support.globalsign.com/customer/portal/articles/1216536-securing-a-public-ip-address---ssl-certificatesyou can have the IP be the common name. You can use SAN Secondary Address Names to a single cert (SAN certs cost more money, but one cert can have at least 5 additional names, maybe more, so you save money )
So if you wanted the IP to not give errors, then you could set the IP as the common name, and mail.domain.com in the SAN
Though I wonder, why do you need the IP itself to not give an error? Do you purposefully have users use the IP? If not, and it's only you using the IP, then why spend money, you know you can safely ignore the error.
-
That might work for my other stuff, though.
If I can do DOMAIN.COM and then
vpn.domain.com
mail.domain.com
iDRAC.domain.comto fill all my certificate needs
-
Startssl is free, It's easy to create and install.
-
@BRRABill said in SSL Certificates:
That might work for my other stuff, though.
If I can do DOMAIN.COM and then
vpn.domain.com
mail.domain.com
iDRAC.domain.comto fill all my certificate needs
Why would you do domain.com? That's not a real service is it? it's generally better off being a redirector to a real service like www.domain.com.
-
@BRRABill Yeah. Last time we updated at work I paid a little extra for a wildcard cert. So *.domain.com, it's all valid for the one cert.
For my personal server, I just run Let's Encrypt.
-
@travisdh1 said in SSL Certificates:
@BRRABill Yeah. Last time we updated at work I paid a little extra for a wildcard cert. So *.domain.com, it's all valid for the one cert.
For my personal server, I just run Let's Encrypt.
How much is a little? The last time I looked (it's been many years) a wildcard cert was 5X the cost of a normal cert, maybe more.
-
@Dashrender said in SSL Certificates:
@travisdh1 said in SSL Certificates:
@BRRABill Yeah. Last time we updated at work I paid a little extra for a wildcard cert. So *.domain.com, it's all valid for the one cert.
For my personal server, I just run Let's Encrypt.
How much is a little? The last time I looked (it's been many years) a wildcard cert was 5X the cost of a normal cert, maybe more.
You can pickup a Comodo cert for $94/year. Looks like today's pricing has majorly changed since the last time I bought a cert, single site certs for $9. Let's Encrypt is having a real nice effect on the market!
-
@Dashrender said
Why would you do domain.com? That's not a real service is it? it's generally better off being a redirector to a real service like www.domain.com.
That was an example.
Even after yesterday I still seem to be afraid to post real details online!
vpn.brrabillisafraidoftheinternet.com
mail.brrabillisafraidoftheinternet.com
iDRAC.brrabillisafraidoftheinternet.com -
For me it wasn't so much the cost as wondering of there was a better way than what I was doing.
Part optimization, part learning what else might be out there.