General discussion

Locked

General SSL Certificate Questions

By mandms7 ·
Let me start off by saying that my knowledge of SSL certificates is pretty limited. We just purchased an e-mail security appliance that I would like to configure with an ssl certificate to allow secure communications for both internal users (accessing quarantines, management, etc.) and also for possibly TLS encryption. I'm also considering installing SSL certificates on some of our intranet web servers. Since this is primarily for internal use, I'm wondering if its still necessary to spend hundreds of dollars for a commercial one year ssl certificate from places like Verisign? I've heard of self-signed certificates, but I have no idea what's involved with doing this. Is this easy to do; is it worth pursuing?

In addition to my primary question, I have some related ones:

1)To enable TLS encryption, do I purchase and use an SSL certificate or do I use something else?

2)The e-mail appliance documentation states that it "must have an X.509 certificate and matching private key in PEM format for receiving and delivery." Additionally, it states that it cannot generate Certificate Signing Requests itself and that you must use another system to generate the CSR. We only have Windows servers in-house, and I know that when I've generated a CSR before, the only thing I received back from Verisign is the certificate but no "private key". Is the CSR process different for non-Windows systems?

3) The e-mail appliance has a "public" and "private" interface, both of which have different host names. Can I somehow use one ssl certificate to secure both interfaces if they have different host names?

Thanks!

This conversation is currently closed to new comments.

3 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by CG IT In reply to General SSL Certificate Q ...

question 3. yes there are public certs such as those by Verisign and then there are private ones when you use something like certificate services in a Windows environment.

Collapse -

by CG IT In reply to

here's some info on TLS encryption in a Windows Environment. pay particular attention to the section on paired keys and encryption levels.


http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windows2000/en/advanced/help/moc04_24.htm

Collapse -

by lowlands In reply to General SSL Certificate Q ...

The problem with a self signing certificate might be that the certificate will be unknown to whomever connects to it. Most all users will trust for example a Verisign cert, but not something from yourself, whether it is a self signed cert, or one from an internal Certificate Authority (MS certificate services for example, something you could install)

2. there are a number of different formats for certificate files and there private keys. Most can be converted to the format you need. I would contact Verisign (or thawte or whatever other vendor you choose) and explain exactly what you need, they'll be able to tell you if they can get you that.

3. I don't think different hostnames can use the same certificate. Well, they can but then you'll get a "names don't match" message when you connect.

Certificates are a pretty complicated thing, especially if you plan on implementing your own certificate infrastructure. Going with an 3rd party vendor might safe you a lot of headaches.

Back to Security Forum
3 total posts (Page 1 of 1)  

Related Discussions

Related Forums