Hi,
Recentley I started thinking how I could secure my server even better. I currentley have set-up SSL (with a self-signed certificate) but obviousley any browser/email client will give a warning about this.
So: I want to get a few cheap certificates for my domains.
For example I have these domains:
- domain1.com
- domain2.com
- domain3.com
I don't care about domain3 so I just leave that, domain 2 only needs https so domain2.com and www.domain2.com
For domain1.com however I want to secure both http (www. and domain1.com) as email (mail.domain1.com)
A wildcard (or multiple)domain certificate is really expensive when I compare it to a single domain. Therefore my idea was to request 3 certificates
1: www.domain1.com and domain1.com (yes, the www part is free)
2: mail.domain1.com
3: www.domain2.com and domain2.com
So now the difficult part:
Currentley my domains are located under the DA 'admin' account with 1 (one) shared IP for ALL domains (including other resellers). I do have 1 (one) 'free' IP available if that is needed. However as far as I understand I can only have 1 certificate for each IP so I would need 3 IP's for my setup, right?
So I started looking into this and i came across the SNI (http://directadmin.com/features.php?id=1100) option. As far as I know this should work for apache and email (dovecot). I started trying with some free certificates but even with the SNI option 'on' when (as an admin) I add a SSL certificate DA notifies my that because i'm an admin it replaced the "server.key" and "server.crt" but oblivious that's not what I want.
Next step: I created the .key and .crt file of domain2.com and changed the "/usr/local/directadmin/data/users/admin/domains/domain2.com.conf
" file to the new key file. But ofcource this is only the HTTP part (the only i need for domain2)
My questions:
- Is this the best way to do this? (I hope not because I don't see a way to add a certificate for a separate subdomain)
- How can I do this for my email, dovecot? I found something about adding a 'local_name domain1.com' to the dovecot config but (could be my certificate) that doesn't work
- Would it be better to move my domains to a separate reseller with a 'own' IP (but in that case I would still have 2 domains @ 1 IP)?
I'd really appreciate it if someone can explain this in a bit more detail to me!
(note: the above is my interpretation of SSL, if there is anything incorrect please let me know)
Recentley I started thinking how I could secure my server even better. I currentley have set-up SSL (with a self-signed certificate) but obviousley any browser/email client will give a warning about this.
So: I want to get a few cheap certificates for my domains.
For example I have these domains:
- domain1.com
- domain2.com
- domain3.com
I don't care about domain3 so I just leave that, domain 2 only needs https so domain2.com and www.domain2.com
For domain1.com however I want to secure both http (www. and domain1.com) as email (mail.domain1.com)
A wildcard (or multiple)domain certificate is really expensive when I compare it to a single domain. Therefore my idea was to request 3 certificates
1: www.domain1.com and domain1.com (yes, the www part is free)
2: mail.domain1.com
3: www.domain2.com and domain2.com
So now the difficult part:
Currentley my domains are located under the DA 'admin' account with 1 (one) shared IP for ALL domains (including other resellers). I do have 1 (one) 'free' IP available if that is needed. However as far as I understand I can only have 1 certificate for each IP so I would need 3 IP's for my setup, right?
So I started looking into this and i came across the SNI (http://directadmin.com/features.php?id=1100) option. As far as I know this should work for apache and email (dovecot). I started trying with some free certificates but even with the SNI option 'on' when (as an admin) I add a SSL certificate DA notifies my that because i'm an admin it replaced the "server.key" and "server.crt" but oblivious that's not what I want.
Next step: I created the .key and .crt file of domain2.com and changed the "/usr/local/directadmin/data/users/admin/domains/domain2.com.conf
" file to the new key file. But ofcource this is only the HTTP part (the only i need for domain2)
My questions:
- Is this the best way to do this? (I hope not because I don't see a way to add a certificate for a separate subdomain)
- How can I do this for my email, dovecot? I found something about adding a 'local_name domain1.com' to the dovecot config but (could be my certificate) that doesn't work
- Would it be better to move my domains to a separate reseller with a 'own' IP (but in that case I would still have 2 domains @ 1 IP)?
I'd really appreciate it if someone can explain this in a bit more detail to me!
(note: the above is my interpretation of SSL, if there is anything incorrect please let me know)
