From owner-freebsd-security@FreeBSD.ORG Mon May 15 22:53:45 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 15CE816AEA9 for ; Mon, 15 May 2006 22:53:45 +0000 (UTC) (envelope-from james@netinertia.co.uk) Received: from starbug.netinertia.co.uk (starbug.netinertia.co.uk [217.147.82.211]) by mx1.FreeBSD.org (Postfix) with ESMTP id AC75B43D67 for ; Mon, 15 May 2006 22:53:44 +0000 (GMT) (envelope-from james@netinertia.co.uk) Received: from croydon.netinertia.co.uk ([82.69.247.45] helo=[10.1.0.82]) by starbug.netinertia.co.uk with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.60 (FreeBSD)) (envelope-from ) id 1Ffly9-000IXe-W3 for freebsd-security@freebsd.org; Mon, 15 May 2006 23:55:20 +0100 Message-ID: <4469064F.50102@netinertia.co.uk> Date: Mon, 15 May 2006 23:53:03 +0100 From: James O'Gorman User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: FreeBSD Security List X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-NetI-Spam-Score: -1.4 (-) Subject: Slightly OT: SSL certs - best practice? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 May 2006 22:53:45 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, This question may be slightly OT for this list, but it does concern securing services on my FreeBSD servers :-) At the moment I have some existing (self-signed) SSL certs for Dovecot, Exim and Apache. It's mostly only me that uses them for now, but I'm planning on expanding that, so want to try and do things "right". My real question is, should I have a separate SSL certificate for each service, or can I just use one for all of them? Also, at the moment, the Dovecot cert is for "*.netinertia.co.uk", but it can be accessed as either mail.netinertia.co.uk, imap.netinertia.co.uk or pop.netinertia.co.uk. Is this right, or should I just pick one (probably mail) to be the "official" name? (Similarly, Exim has its certificate set to mail.netinertia.co.uk, but can be accessed as smtp.netinertia.co.uk.) I was thinking of just creating one wildcard certificate and using it for all the above services, but I don't know if this is actually the proper way of doing things! Cheers, James PS - Once I've worked out how exactly I'm supposed to be doing this, I'll probably get some "officially" signed certs. I hear CACert are a good, free way of doing this. Anyone got any comments on that? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (MingW32) iQEVAwUBRGkGT/8Z3wLA10m9AQLt3wf/RBAvhZ/B+t0L4XFqf3Jds44esvdDAhVw Mvv1Qp9AfwnHImH/cAQpWAihcyK3dIs9KgOtpBsOxbBgPiJUX508Apn4e9IiCC/S xh/OjqpdjnqyMc3r4gBJbMwn0DUXqd+E9wiod53RCxCqysedMxY76SrnUu0pkl7J 56p6xav6BWHZGWnFTdEo5u+W0BJTNe1KKm/zXwZ8a23ujIzhMwpzAw/Odf09obdz /hfZ+C5e7OrGgFnDTbwLQkWSi4e3DGNnsWQ6aP2N4jvmze32wqIxo5UbHM3aeBPs LOVCz/bUkR6cgDKnBt3FqYzxxq54JK48EB5qvrRD7BZlRZDii28t5w== =rUCj -----END PGP SIGNATURE-----