SSL options help

[tony1234]

I have read all ssl posts and my head is spinning. Could someone please answer yes or no to the following questions, so I will know which general direction to go down? (Please note I am the admin of my server, running DA and CentOs 4.1). Please note that "mydomain.com" is not my domain but just example words for these questions)
1) Installing a ssl cert for a single domain (www.mydomain.com)
1a) Will all subdirectories (such as https://mydomain.com/page1.php) work also? (I assume anything in the DA private html would work)
1b) Will using squirrelmail from a link from my site work with the same ssl cert? (https://www.mydomain.com/squirrelmail)
2) Installing a ssl cert for DA panel ssl access.
2a) Can I have ssl DA access work for the above domain if I installed that same cert for DA?
2b) If yes, will the link to webmail(squirrelmail) work with the cert with no mismatch popup? Phpadmin also?
2c) Can I have all other resellers for other domains in DA *not* use ssl for DA panel access? (It appears DA is ssl for everyone or not).
2d) If no, do I have to install a different ssl cert into DA than the one discussed in 1a-b above for theirs (using other domain names for the urls into DA panel) to work?
3) If I have to install a server cert for DA to get everyone to pass the DA ssl access, is there any way to make all their links (from all their domains:2222 in DA panel) work to webmail/squirrelmail without getting the popup/mismatch?

My overall preference is to get all DA panel logins for the resellers and users to always pass the ssl without popups for both DA panel, links to PHPadmin, and webmail, OR,
Just have the same DA access work (DA panel and links to webmail)it work for the one domain only as described in 1a-1b, and force everyone else's panel items to always use just http:// (the one domain in 1a-b is mine obviously and my ssl access to DA panel is my biggest concern). But it can't make their links have the snakeoil or similar popup.

Thanks in advance for your time reading and your help.

 

[nobaloney]

1) Installing a ssl cert for a single domain (www.mydomain.com)
1a) Will all subdirectories (such as https://mydomain.com/page1.php) work also? (I assume anything in the DA private html would work)

Yes. But unless you follow threads in these forums on how to use one directory for both secure and non-secure pages, all files to be accessed securely will have to be in private_html.

1b) Will using squirrelmail from a link from my site work with the same ssl cert?

Yes.

2) Installing a ssl cert for DA panel ssl access.
2a) Can I have ssl DA access work for the above domain if I installed that same cert for DA?

Yes, but you can only have one cert installed in DA, so anyone accessing DA through another domain name will get a name mismatch error.

2b) If yes, will the link to webmail(squirrelmail) work with the cert with no mismatch popup? Phpadmin also?

Do you mean PHPMyAdmin? Not tested here; note that the same issues about name mismatch error might occur.

2c) Can I have all other resellers for other domains in DA *not* use ssl for DA panel access? (It appears DA is ssl for everyone or not).

You cannot, as DA doesn't have any idea how it's being accessed and is either secure or not.

2d) If no, do I have to install a different ssl cert into DA than the one discussed in 1a-b above for theirs (using other domain names for the urls into DA panel) to work?

We use and announce the "host name" and use it for the DA cert; everyone uses that hostname to logon to DA.

3) If I have to install a server cert for DA to get everyone to pass the DA ssl access, is there any way to make all their links (from all their domains:2222 in DA panel) work to webmail/squirrelmail without getting the popup/mismatch?

DA will call either webmail client the same way it calls itself. We use the same certificate for both DA and for the hostname login to squirrelmail/webmail, so there's no name mismatch.

My overall preference is to get all DA panel logins for the resellers and users to always pass the ssl without popups for both DA panel, links to PHPadmin, and webmail, OR,
Just have the same DA access work (DA panel and links to webmail)it work for the one domain only as described in 1a-1b, and force everyone else's panel items to always use just http://

Which is how we do it using a Secure Site Certificate for the hostname.

(the one domain in 1a-b is mine obviously and my ssl access to DA panel is my biggest concern). But it can't make their links have the snakeoil or similar popup.

Buying a cert for the hostname, and changing your outgoing emails to let clients now to use the hostname, is probably the best way to do it, given the limitations of both apache and DA in using secure certificates.

Jeff

 

[tony1234]

Thanks, Jeff, this really helped. I would have not thought that, which means all the posts really did confuse me. A couple of follow-up questions:
1) I assume since the hostname (for me is server.mydomain.com)("mydomain"=sample words), the ssl cert would be for server.mydomain.com specifically)
1) It appears under your scenario, the domain used in squirrelmail is the user's primary domain. Is this your understanding? I didn't think it would work this way, maybe getting the domain associated with the hostname, which if it happened I was curious how those users were defined for the domain name associated with the hostname. But getting their primary domain name in squirrelmail appears to be the case and that seems best anyway logically. (Not sure how this works since the http:/hostname/squirrelmail appears to be the link in - how does this work?)
2) In the above scenario, the owner of the domain associated with the host is a reseller. (that is how I was testing it). Who is the best choice for the owner of the hostname's domain? Admin? A reseller? If Admin is the answer, I am not sure how to have the Admin own that domain. I just from Admin created a reseller with the domain associated with the hostname as their default domain. If Admin is the better choice, I might need a hint on how to change this. (Currently I am the only reseller since I was testing but not for long which is why I had better ask).
3) If I want the domain associated with the hostname to have ssl for the www name, not the server.... example I mentioned in question 1, I have to buy another cert for that on the domain? Can I do that, have two, or do I need a wildcard cert instead? And would that work for all the above?

Thanks for your help, and by the way all this help is not for nothing, as I intend to get my 2nd-nth server from you (as well as let you run my current one) once I get up and running and have more money. (I respect you a lot) This server stuff is very interesting and addicting (especially the security), but I think once I have more money I will leave that to you, as spending my time on "ideas"is time better spent I think. I have some killer ideas.

 

[tony1234]

Umm, too much in a hurry above. Please consider numbers 1,1,2,3 to be 1,2,3,4. Haha

 

[nobaloney]

Thanks, Jeff, this really helped.

You're very welcome.

1) I assume since the hostname (for me is server.mydomain.com)("mydomain"=sample words), the ssl cert would be for server.mydomain.com specifically)

While it's not required that's how we do it.

1) It appears under your scenario, the domain used in squirrelmail is the user's primary domain. Is this your understanding? I didn't think it would work this way, maybe getting the domain associated with the hostname, which if it happened I was curious how those users were defined for the domain name associated with the hostname. But getting their primary domain name in squirrelmail appears to be the case and that seems best anyway logically. (Not sure how this works since the http:/hostname/squirrelmail appears to be the link in - how does this work?)

You can link to squirrelmail from any domain name on the server, and once you're there, you can log in to any domain.

For example, when I'm travelling I browse to:

https://da1.namelessnet.net/squirrelmail

and then I log in to my email account at nobaloney.net (see my sig). This works for any domain name combination; not just the hostname.

We use the hostname because we think that's least likely to be confusing.

2) In the above scenario, the owner of the domain associated with the host is a reseller. (that is how I was testing it). Who is the best choice for the owner of the hostname's domain? Admin? A reseller? If Admin is the answer, I am not sure how to have the Admin own that domain. I just from Admin created a reseller with the domain associated with the hostname as their default domain. If Admin is the better choice, I might need a hint on how to change this. (Currently I am the only reseller since I was testing but not for long which is why I had better ask).

Your hostname already exists and you'd best not try to create it as a domain on the server. It's even got it's own website, at /var/www/html.

Creating the CSR for it should be done from the command line; if you don't know how to do it you can google for the right way to do it or possibly find it on these forums, or alternatively if you buy a "We install" cert from us we do it for you.

3) If I want the domain associated with the hostname to have ssl for the www name, not the server.... example I mentioned in question 1, I have to buy another cert for that on the domain? Can I do that, have two, or do I need a wildcard cert instead? And would that work for all the above?

Yes, you can create a cert for the www.example.com; to do that you create a site example.com, but it'll need it's own IP# and it'll need SSL turned on for it. Then you can use the DA built-in system for creating the CSR, and by default the CSR will be for a cert at www.example.com.

Thanks for your help, and by the way all this help is not for nothing, as I intend to get my 2nd-nth server from you (as well as let you run my current one) once I get up and running and have more money. (I respect you a lot)

Thanks very much. Please be assured I'm always happy to help as time and resources permit.

Jeff