SSL Certificates for osx server web & mail?

[awmazz]

I need a bit of guidance on SSL certificates in regards to setting up a home-based web and mail service using osx leopard server. Any help would be greatly appreciated. Just pointing me to a site with the answers would be good too, thanks!

I have a couple of domains which I've set up web sites okay and now want email for but am struggling to understand the osx server mail services SSL instructions, which amount to "get SSL Certificate, install SSL Certificate" but doesn't go into any further detail.

Basically what sort of certificate do I need just for mail services? Do I need one to secure the actual web server itself too? There's a bit of a choice and some are quite expensive and look like they're for serious e-commerce sites so are they more than I need?:

Instant SSL by Comodo

In regards to a website, do I need an SSL certificate if I'm just setting up an online forum like this one (to protect peoples' accounts and emails etc), or if I decide to do a bit of online commerce one day using Paypal? Or does the Paypal site handle all that for me?

 

[Azgar]

I imagine there are a lot of opinions out there on the subject. Personally, I think the SSL market is a bit of a sham. You'd have better luck finding the fountain of youth than you would finding anyone who has ever collected on an SSL "warranty". Their warranties are for the site visitors, not the hoster, and they don't cover the security of the certificate, only the validity of their issuing process to ensure people running a server are who they say they are. In general, all SSL certs provide the same level of security; the green bar and all that are just for consumer confidence and I would argue that few people in the general public could care less beyond seeing their little padlock.

Based on that, I'd recommend going with the cheapest one available from any reputable SSL issuer like Comodo, GoDaddy, etc. Anything is cheaper than Verisign. You've got a few options when it comes to covering more than one domain. Traditional SSL certs cover only one domain or subdomain, so you would need one for http://www.yourdomain.com and mail.yourdomain.com if you wanted to secure the website and mail services. There are wildcard SSLs, but those are rather expensive unless you're covering a lot of subdomains. A UCC (Unified Communications Certificate) SSL can be used for multiple domains and are a lot cheaper if you need to cover more than a couple names. They shouldn't be used for sites that are not supposed to appear to be related though since the identity on the cert will be the same for all sites.

Regarding PayPal, if I remember correctly, there are different options for integrating PayPal payment into your website. One method sends people to PayPals site for actual payment processing, in which case you wouldn't need an SSL for your site. The other method does it directly on your site, communicating with their servers in the background, so you would need an SSL for your site going that route.

 

[awmazz]

Thanks for the help Azgar. I went with the cheapest Comodo InstantSSL before you had a chance to reply. Mainly because the only difference I could see between it and the more expensive InstantSSL Pro and Premiums was just the amount of the warranty.

I now have to check to see if what I've just bought actually covers mail.domain.com and other subdomains as well now that you've told me about it as I just assumed it would without even thinking to ask. I think I'll have to email them as the Comodo product descriptions are just as vague and uninformative as Apple's instruction manuals.

Ditto my hoping it could cover two domain names if they both have the same registration details, but that's probably wishful thinking going by what you mentioned about the UCC type. Looking at the Comodo price list, the UC cert is almost 5x the price of the InstantSSL, so for just two or three domains it looks like getting separate certs would still be cheaper.

Thanks again for the very helpful information!

 

[assembled]

remember that if you are running different sites on different domains, then you need a dedicated IP for each site. this is because the host header information is encrypted within HTTPS and the server can't decrypt until it knows which certificate is being used.

a UCC certificate, is correctly called a SAN (Subject Alternative Name) certificate, UCC comes from Microsoft and Exchange 2007.

there are ways of having a SAN certificate that can have multiple domains, but you might also encounter other issues with SAN certificates not being understood by some browsers.

 

[Guiyon]

I skipped all the commercial solutions and just created my own CA and use self-signed certificates for each of my services. I don't use them to create a 'chain of trust' but solely for encryption purposes (for example, I only allow SSL/TLS on my mail server). It's also much easier to create a few new certs if I need em.