« The laws of Fire and Tools | Main | ur mom »
SSL problem
By Jesse Morgan | June 19, 2006
So here’s the problem: We’re setting up a new mailserver for our customers at work and I’d like for them to use SSL on their imap connections- the problem is we don’t want to get an SSL cert for each of the domains (there are around 30 and it’s constantly changing). After talking to the ssl people, they said that getting a cert for the ip would be the best solution.
so our mailserver (mail1) has an SSL cert for 123.123.123.123. Everything seems to work in outlook express, which is what *most* of our customers use…
BUT… kmail on linux and mail on OSX seem to alert that “The IP address of the host mail1.ourdomain.com does not match the one the certificate was issued to.”(kmail message). when I click on details, there appears to be 3 levels to the “chain” of ssl certification
* Site Certificate
* 123.123.123.123
* UTN-USERFirst-Hardware
From what I can see, Site Certificate is identical to 123.123.123.123, except “The Certificate has not been issued for this host.”
Short of getting an SSL cert for each one of these domains, and adding a new one each time we add a new domain, can we make this error go away? I’m looking for a universal solution for all clients if possible
Topics: Uncategorized |
June 21st, 2006 at 9:31 pm
How about GoDaddy https://www.godaddy.com/gdshop/ssl/ssl.asp?se=%2B&ci=271
You can get certs starting out at $20 a year and 256 bit encryption. I think those ones won’t give you trouble but I am not 100% sure. At that price you could easily add that into the service charge for email so it doesn’t come out of your bottom line.
The other thing is you could do a self signed cert. The downside is that the client would have to install the cert everytime they were on a new computer, such as internet cafe or public kiosk. But it is free and you can generate keys for each domain.
If they are running a Windows AD environment you can set up a certificate authority in the domain and issue their own domain certs applied through GPOs. Then you can issue one cert from their AD domain and use it for their mail domain. This would get rid of the need for their corporate workstations to manually install the cert since it would be applied to the domain, but public machines would will need to install the cert when they needed to use it.
In Windows go to Start > Programs > Administrative Tools > Public Key Management. Then select Certificates > Trusted Root Certification Authority > Certificates to see what certs are automagically trusted by Windows, then you can search for a cheap one.