1

Trying to understand how SSL certificates work. Is the following correct:

I have a website at www.example.com and a mailserver at mail.example.com. The website is public and visited by many people. The mailserver is only for a small group of people all of whom I know.

I would like to add SSL to both the web and the mail server. As far as I understand, unless I buy a wildcard certificate, the certificate would only be valid for either www.example.com or mail.example.com, correct? I'd get a payed for SSL certificate from a reliable company and all my visitors to the web site would be happy.

To save some money, I was thinking of getting a free or self signed certificate for the mail server. As far as I understand on first access to the mail server our mail users would see a warning message of unknown certificate. But after it has been accepted once, by the mail users' computers, would there be any difference between this free certificate and a payed for certificate?

Somewhat related question. I currently set up example.com as alias for www.example.com in the apache conf. So if somebody accesses example.com (without "www"), the URL stays there and my certificate for www.example.com would not be valid, correct? So I'd have to add rewrite rules to change example.com to www.example.com, correct?

Improve this question

1 Answer 1

Reset to default
2

First, your understanding of this portion of how SSL certificates work is correct (there's a lot more to SSL). If you buy a wildcard cert for *.example.com, you can use that for your subdomains.

Next, a free or self signed certificate would raise a red flag if the CA (certificate authority, the certificate that signs and validates your *.example.com certificate) is not trusted by the client trying to access you. They will get the prompt each and every time they access unless they accept the CA as trusted. Most clients have a built in set of CAs they trust, which is why orgs pay big bucks for a cert signed by one of those CAs, it's a form a identity verification, which is part of what the certificates are all about. While the self signed cert is certainly doable, especially if your email client base is small and you can tell them to skip server certificate verification on their devices (if this is an exchange server or they'll be accessing email through active sync, this skipping the server cert verification would have to be done on certain mobile devices), but since the www is public I'd have to advise forking the dough over for a real cert, especially if this is for any type of ecommerce, I would be leary of shopping at a site w/ an invalid cert personally. Hope this helps.

Improve this answer
6
  • 1
    I just have one addition here - it's entirely possible to have one certificate with multiple server names. In other words, you can get a certificate that has the servername www.example.com and the alternative servername example.com. That may or may not be cheaper than getting a wildcard certificate. Commented Jan 30, 2013 at 15:29
  • @JennyD that is very true, thanks for the addition. Commented Jan 30, 2013 at 16:27
  • 1
    There are CAs that provide free certificates, even certificates with multiple subject names so you could use the same certificate for both. StartSSL is one that I've used. Commented Jan 30, 2013 at 17:00
  • Thanks for confirming. And yes, the plan is to pay for the www.example.com cert and to get a free cert for mail.example.com and tell those 10 people or so to accept it. Do those combined www.example.com/example.com certificates have a special name? Commented Jan 30, 2013 at 17:01
  • 1
    About combined certificate - it's a regular certificate, but your CA must support the extension Certificate Subject Alternative Name. Commented Jan 31, 2013 at 7:47

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.