General discussion

  • Creator
  • #2193921

    General SSL Certificate Questions


    by mandms7 ·

    Let me start off by saying that my knowledge of SSL certificates is pretty limited. We just purchased an e-mail security appliance that I would like to configure with an ssl certificate to allow secure communications for both internal users (accessing quarantines, management, etc.) and also for possibly TLS encryption. I’m also considering installing SSL certificates on some of our intranet web servers. Since this is primarily for internal use, I’m wondering if its still necessary to spend hundreds of dollars for a commercial one year ssl certificate from places like Verisign? I’ve heard of self-signed certificates, but I have no idea what’s involved with doing this. Is this easy to do; is it worth pursuing?

    In addition to my primary question, I have some related ones:

    1)To enable TLS encryption, do I purchase and use an SSL certificate or do I use something else?

    2)The e-mail appliance documentation states that it “must have an X.509 certificate and matching private key in PEM format for receiving and delivery.” Additionally, it states that it cannot generate Certificate Signing Requests itself and that you must use another system to generate the CSR. We only have Windows servers in-house, and I know that when I’ve generated a CSR before, the only thing I received back from Verisign is the certificate but no “private key”. Is the CSR process different for non-Windows systems?

    3) The e-mail appliance has a “public” and “private” interface, both of which have different host names. Can I somehow use one ssl certificate to secure both interfaces if they have different host names?


All Comments

  • Author
    • #3166119

      Reply To: General SSL Certificate Questions

      by cg it ·

      In reply to General SSL Certificate Questions

      question 3. yes there are public certs such as those by Verisign and then there are private ones when you use something like certificate services in a Windows environment.

    • #3166040

      Reply To: General SSL Certificate Questions

      by lowlands ·

      In reply to General SSL Certificate Questions

      The problem with a self signing certificate might be that the certificate will be unknown to whomever connects to it. Most all users will trust for example a Verisign cert, but not something from yourself, whether it is a self signed cert, or one from an internal Certificate Authority (MS certificate services for example, something you could install)

      2. there are a number of different formats for certificate files and there private keys. Most can be converted to the format you need. I would contact Verisign (or thawte or whatever other vendor you choose) and explain exactly what you need, they’ll be able to tell you if they can get you that.

      3. I don’t think different hostnames can use the same certificate. Well, they can but then you’ll get a “names don’t match” message when you connect.

      Certificates are a pretty complicated thing, especially if you plan on implementing your own certificate infrastructure. Going with an 3rd party vendor might safe you a lot of headaches.

Viewing 1 reply thread