Changes

Jump to navigation Jump to search
82 bytes removed ,  19:04, 20 April 2009
m
Please stick to the 'normal' heading levels
Line 1: Line 1: −
====Certificates - All you wanted to know about them====
+
===Self signed certificates===
 
  −
=====Self signed certificates=====
   
The certificate created by sme by default is a self signed certificate. That means it is issued by sme server and as such has not been tested or authenticated by any external certificate issuing Authority eg VeriSign & others etc.
 
The certificate created by sme by default is a self signed certificate. That means it is issued by sme server and as such has not been tested or authenticated by any external certificate issuing Authority eg VeriSign & others etc.
   Line 13: Line 11:  
Obviously external DNS records have to support that URL ie you would usually setup a wildcard in external DNS records that makes *.yourmaindomain.com resolve to your server IP.
 
Obviously external DNS records have to support that URL ie you would usually setup a wildcard in external DNS records that makes *.yourmaindomain.com resolve to your server IP.
   −
=====Commercial certificates=====
+
===Commercial certificates===
 
If you use a commercially available certificate & pay money for it, the organisation who issues the certificate pays big money to Microsoft & Mozilla etc to have their root certificate installed in the browser by default. That's why if you use a good quality commercial certificate on your server, then when a visitor to your site accesses https://.... , they will not be asked anything about the certificate mismatching or not being installed etc, as the browser already knows that certificates from say VeriSign are legitimate and happily accepts the connection without question, as it is already trusted. Same for other major brands of commercial certificates.
 
If you use a commercially available certificate & pay money for it, the organisation who issues the certificate pays big money to Microsoft & Mozilla etc to have their root certificate installed in the browser by default. That's why if you use a good quality commercial certificate on your server, then when a visitor to your site accesses https://.... , they will not be asked anything about the certificate mismatching or not being installed etc, as the browser already knows that certificates from say VeriSign are legitimate and happily accepts the connection without question, as it is already trusted. Same for other major brands of commercial certificates.
   −
=====Freely available certificates=====
+
===Freely available certificates===
 
If you choose to create your own certificate using one of the Howtos eg the [[Custom_CA_Certificate|CACert Howto]], then the first time visitors access your site (https), they will still get asked to install the certificate into their browser. This is because CACert does not pay Microsoft $10,000 or more regularly to have their root certificate automatically installed in Internet Explorer (& updates which also update the root certifcate) etc. The same goes for other major brands of web browsers, although work is progressing to improve the relationship between CACert & other free certificate issuers and various web browser authors.
 
If you choose to create your own certificate using one of the Howtos eg the [[Custom_CA_Certificate|CACert Howto]], then the first time visitors access your site (https), they will still get asked to install the certificate into their browser. This is because CACert does not pay Microsoft $10,000 or more regularly to have their root certificate automatically installed in Internet Explorer (& updates which also update the root certifcate) etc. The same goes for other major brands of web browsers, although work is progressing to improve the relationship between CACert & other free certificate issuers and various web browser authors.
   Line 23: Line 21:  
You will still have renewal issues with CACert certificates for example, as they are only valid for 6 months, unless you join the special recognition program and show proof of identity to a authorised human being in your area, when they are then valid for 2 years. Ultimately at some time in the future, you will need to renew the CACert certificate, and install that new certificate onto sme server. Then when a user's web browser accesses https for the first time, it will object to the authenticity of the new certificate, thus needing to be reinstalled again, or install the CACert root certificate again. You can't win actually as users will always be chasing their own tail reinstalling certificates, albeit infrequently !
 
You will still have renewal issues with CACert certificates for example, as they are only valid for 6 months, unless you join the special recognition program and show proof of identity to a authorised human being in your area, when they are then valid for 2 years. Ultimately at some time in the future, you will need to renew the CACert certificate, and install that new certificate onto sme server. Then when a user's web browser accesses https for the first time, it will object to the authenticity of the new certificate, thus needing to be reinstalled again, or install the CACert root certificate again. You can't win actually as users will always be chasing their own tail reinstalling certificates, albeit infrequently !
   −
=====Expiration time of the self signed certificate=====
+
===Expiration time of the self signed certificate===
 
One last point to note is that the sme self signed certificate is valid for one year, and it gets automatically renewed by sme server functionality on the anniversary of the installation date of the sme server OS.
 
One last point to note is that the sme self signed certificate is valid for one year, and it gets automatically renewed by sme server functionality on the anniversary of the installation date of the sme server OS.
   Line 54: Line 52:  
Then add the new 5 year certificate to your browser, and no more questions from your browser until five years time when the certificate validity expires.
 
Then add the new 5 year certificate to your browser, and no more questions from your browser until five years time when the certificate validity expires.
   −
=====Problem with email client=====
+
===Problem with email client===
 
Also if using the self signed certificate, instead of configuring your email client to use say mail.yourdomain.com for sending and receiving mail server names, then change that to servername.yourdomain.com, and that way the email client will not create a warning/error each time you access the mail system on your server ie by clicking the Send/Receive button in the email client ie the certificate name will match the requested server name.
 
Also if using the self signed certificate, instead of configuring your email client to use say mail.yourdomain.com for sending and receiving mail server names, then change that to servername.yourdomain.com, and that way the email client will not create a warning/error each time you access the mail system on your server ie by clicking the Send/Receive button in the email client ie the certificate name will match the requested server name.
   −
=====Multiple domains=====
+
===Multiple domains===
 
If you have multiple hosted domains, then you may need to use a certificate that covers all those domains, if you want users to access individual domain name URLs, the CACert How to details that.
 
If you have multiple hosted domains, then you may need to use a certificate that covers all those domains, if you want users to access individual domain name URLs, the CACert How to details that.
 
Otherwise if using the self signed certificate just get users to access https://servername.maindomain.com/webmail irregardless of whether they are using a different domain for their receiving/sending email address. In webmail, change the default senders address for each user to match the domain they are supposed to be using.
 
Otherwise if using the self signed certificate just get users to access https://servername.maindomain.com/webmail irregardless of whether they are using a different domain for their receiving/sending email address. In webmail, change the default senders address for each user to match the domain they are supposed to be using.

Navigation menu