SSL Certificate Management

Submitted by compserv on Thu, 11/19/2009 - 20:36

I know I need to get a trusted certificate from a certificate authority so that my mail servers can talk to other mail servers like google, msn, aol, etc. Do I have to get a trusted certificate for every domain? I have a 50 server licence. The thought of getting 50 trusted certificates is ridiculous.

How would I go about getting one trusted certificate for all of my domains and have it used for all newly created servers?

Thanks.

Status: 
Closed (fixed)

Comments

Joe's picture
Submitted by Joe on Thu, 11/19/2009 - 22:22 Pro Licensee

I'm not sure what you're talking about...SSL certificates are not required to deliver mail to Google, MSN, AOL, etc.

An SSL certificate can be useful for your users. But it's not mandatory or related to delivering mail at all.

You may be thinking of DKIM, which is a new standard for providing verified identity information when sending and receiving mail. But, it's not yet supported by Virtualmin (coming soon), and is not at all required to send mail to any major provider.

If you are having problems sending mail to any of those companies mailservers, we can help you debug the problem, but it is definitely not due to a lack of an SSL certificate.

Submitted by Rogi on Fri, 11/20/2009 - 01:24

Compserv,

If your mail is being rejected and/or marked as spam by all of those companies' mailservers, you might want to check your reverse DNS is set correctly and/or your IP isn't blacklisted, as these are common reasons for your mail being treated with such distain. ;)

Submitted by compserv on Fri, 11/20/2009 - 10:35

Mail keeps getting rejected because my server is not trusted because my certificate is self signed. I need a certificate from a Trusted Authority. The orginal question is how do I install the one certificate for all of the domains on all the servers in one shot.

Submitted by andreychek on Fri, 11/20/2009 - 10:43

If you wish to install a trusted SSL certificate from a commercial organization, we can certainly help with that.

I'd like to clarify, though, that as both Joe and Rogi mentioned above -- that will not solve your problem.

An SSL certificate has nothing to do with email delivery to Google and Yahoo and the like. SSL isn't even used for that, email is delivered in plain text when going from one server to another :-)

If you give us one of the domain names your having trouble with, we may be able to assist in determining what the problem is and why email is being rejected.

Submitted by compserv on Fri, 11/20/2009 - 12:19

What about the self signed issue?

Browsers do not trust domains hosted by me because my certificate is self signed.

In addition, when sending mail from a domain hosted by me to an email account off domain (ie: from me to user@gmail.com) I get "Relay access denied"

Submitted by andreychek on Fri, 11/20/2009 - 12:12

Sure, if you're using self-signed SSL certs, you'd certainly want to consider a commercial certificate.

A commercial cert will absolutely solve the trust issue between the browser and your server.

There's just a different series of steps for solving the issues you're seeing in sending email :-)

Regarding your original question -- you can buy commercial certs from company's like GoDaddy, Verisign, Thawte, Commodo, and so forth.

In general, you do buy one SSL certificate for each website/domain you wish to secure with SSL.

Recently, UCC certificates and wildcard SSL certificates have provided a way to buy one cert to protect multiple domains... but the cost is much higher :-)

Submitted by compserv on Fri, 11/20/2009 - 12:42

so what is the final answer?

If I get 50 customers who will generate 50 domains, will I have to install 50 certificates? Can I just get a IP specific certificate for the entire server?

Joe's picture
Submitted by Joe on Fri, 11/20/2009 - 12:48 Pro Licensee

If I get 50 customers who will generate 50 domains, will I have to install 50 certificates? Can I just get a IP specific certificate for the entire server?

If you need SSL for all of them, then possibly...and you'll also need an IP address per certificate.

As Eric mentioned, UCC certificates allow multiple domains to share an IP address, and a UCC certificate for multiple domains can be cheaper than individual SSL certificates.

There's quite a bit of coverage of SSL in the documentation:

http://www.virtualmin.com/documentation/web/ssl

Submitted by compserv on Sun, 12/13/2009 - 13:28

got it.

will get a wildcard certificate from goDaddy.

also noticed my IP address was blacklisted.