SSL Server & Mail configuration with CA Authority

[mcode]

Hi everyone,

I'm having a great deal of difficulty solving my SSL issues. I'm hoping that you can help me walk the right path. Below I have included the links of the areas I have already covered.

Here is what I'm trying to accomplish.

A) I would like to set up a server certificate with CA authority. I have an account with startssl.com. My plan is to create a wild card certificate *.domain.com for myserver which is named hostname.domain.com

1. Is this this possible or even needed?
2. I also host my website which is www.domain.com same as the dedicated server (but full name is hostname.domain.com). Will this have any conflicts?

B) I'm trying very hard to have my email use SSL. Exim is configured correctly from a self signed point of view. The warning from outlook comes up, but I want the purchased CA to work. How do I go about generating a CA request from the server to submit to the provider? Is there a forum thread that I have missed? I've been looking all over the place and I'm having a great deal of difficulty with this particular issue.

**My biggest problem is how to create a certificate request not for a website, but for the server. Since my hostname and domain name are the same. With the wild card could or should this be done in the Directadmin user level for ssl?

I hope I explained my problem thoroughly. Please let me know if you need more information.


These forums offered help about self signing. The first one does going into where to put the cert for directadmin, but not how to create a request.

Setting up DA with an SSL certificate
http://help.directadmin.com/item.php?id=15

How to create a new self-signed /etc/exim.cert and /etc/exim.key
http://help.directadmin.com/item.php?id=245

How to create Self Signed
http://help.directadmin.com/item.php?id=192

been here
http://www.site-helper.com/

specifically here
http://www.site-helper.com/ssl.html

Thanks,

Matt

 

[mcode]

Any help

Is there anyone that can help?

 

[chatwizrd]

http://site-helper.com/ssl.html#install

Step 1 - Generating a CSR

And there is no way you are going to get a wildcard unless you pay for it. They cost around $300-500usd/year

The common name has to match whatever website you are going to put it on and it will require a static ip address. You can make the common name whatever you want www.domain.com, domain.com or secure.domain.com for examples.

 

[nobaloney]

Wildcard Certificates from startSSL are available for as low as $59.90:

https://www.startssl.com/?app=39

Is this this possible or even needed?

Why do you think you need a Wild Card Certificate? Exactly what are you trying to use it for? Note that a wildcard certificate issued for example.com will work for any subdomain: any.example.com, but will not work for any other domain name.

I also host my website which is www.domain.com same as the dedicated server (but full name is hostname.domain.com). Will this have any conflicts?

Not if you do it right, but the specific instructions depend on whether you've got your own domain on a separate user set up under either the admin reseller level or a separate reseller, and whether or not it's on the server's main IP#.

B) I'm trying very hard to have my email use SSL. Exim is configured correctly from a self signed point of view. The warning from outlook comes up, but I want the purchased CA to work. How do I go about generating a CA request from the server to submit to the provider? Is there a forum thread that I have missed? I've been looking all over the place and I'm having a great deal of difficulty with this particular issue.

Search the DirectAdmin knowledgebase or these forums. This has been discussed many times.

My biggest problem is how to create a certificate request not for a website, but for the server. Since my hostname and domain name are the same. With the wild card could or should this be done in the Directadmin user level for ssl?

You can have a Certificate for DirectAdmin login, and another for your domain name, even if you've got only one IP#, as long as you leave the DirectAdmin login on port 2222 and don't set up a proxy for it to run on port 80 or port 448. Complete instructions can be found on these forums and on the DirectAdmin Knowledgebase

These forums offered help about self signing. The first one does going into where to put the cert for directadmin, but not how to create a request.

Here's information in the knowledgebase on how to create a CSR for a Certificate for use at the DirectAdmin login level; read the entire entry, through the bottom, and then see the link at the very bottom.

Is there anyone that can help?

Sure; I've already given you all the direction most of us have ever needed in this thread. I also offer a service wherein I can do it for you, and if I do it for you I'm happy to send you a list of absolutely everything I did.

But even if you live next door to my office, I don't teach a class .

I'm not the only contract administrator on these forums; please feel free to search these forums for others, or to contact me at the email address below in my siglines for further information on my commercial services.

Note: You probably shouldn't use domain.com as your examples, especially in such a way (for example with www. in front of it, so the forum creates a link. Here's why:

The domain.com domain name was bought by the largest webhosting company in the world (their latest acquisition was Dotster; they also own HostGator and lots of other companies). Why did they spend all that money? Because every time anyone uses domain.com in a link, they get linked to, resulting in greater Google credibility, etc., and if you're not careful lots of links from here and even from your own website.

Why would you want all those links to a competitor? I sure don't.

Any votes for making domain.com a dirty word ?

Jeff

 

[mcode]

Jeff,

Thanks for your advice and direction. I did purchase a wild card at startssl I'm very pleased with the service. I have secured the website, but now I'm trying to get the email to do the same thing. I feel I'm close... hopefully will have it accomplished soon. Thanks again.

Matt

 

[chatwizrd]

Startssl looks very shady to me. I probably wouldnt use them for the fact they are not a US company. I am sure they are good for people wanting to save some money though.

 

[nobaloney]

Startssl looks very shady to me.

Based on what? If you just say this without justification, then it appears you're spreading FUD.

I probably wouldnt use them for the fact they are not a US company.

Many of us posting here are not US companies. Including JBMC (the guys who publish DirectAdmin and own this site). Many other Certificate Authorities are not US-based companies, though many of them have US offices.

My understanding is that StartSSL was developed to create a solution to the need for low-priced Certificates. They have no information on their site about Server Ubiquity but their own site is protected by their high assurance Greenbar Certificate, and it's accepted by the most recent versions of both Firefox and Chromium, which I run.

Jeff

 

[nobaloney]

I'm trying to get the email to do the same thing. I feel I'm close... hopefully will have it accomplished soon. Thanks again.

You're very welcome. It's my understanding that some Certificates don't work with email. Have you asked them if theirs does?

Jeff

 

[donkeyKICK]

Yes, they are VERY shady. The do bait and switch, and charge for things they shouldn't.

Startssl looks very shady to me. I probably wouldnt use them for the fact they are not a US company. I am sure they are good for people wanting to save some money though.

 

[nobaloney]

Yes, they are VERY shady. The do bait and switch, and charge for things they shouldn't.

Please be specific; otherwise it just looks as if you're spreading fud.

Thanks.

Jeff

 

[donkeyKICK]

Sure, I signed up with them because I wanted to test a free cert. I was able to get the cert, but then I reloaded the server and forgot to back it up. I thought "no biggie, I'll just log in and download it again". I tried to login but their login didn't accept my credentials (and I know they were right). I went to their help and it said to create a new account, and once logged in have them fix the one with the creds problem. Ok, did that. Once in I used their help and contacted them. In order to restore my old account I need to delete my new one! Why? Don't know. The charge to delete the new one was $25. Really? $25 to delete an account that I never wanted or needed. The only reason I have it was because I followed their instructions. Never told what happened to my login. I am 100% sure I got it right. It is their "shady" way to get you to pay for something they claim is free. What would be the honorable way to do it is simply say it was a short trial. When I said I was not going to pay to have the account deleted, they told me the only other way to fix my other account (which I did nothing to break) was to pay them $59 for an "upgrade". After going around and around with them, I gave up. I no longer have a cert from them because I wouldn't let them extort money from me. I know you get what you pay for, but if they want to do stuff like this before I give them money, imaging how bad it will be after you pay for something? If I paid the $25 or the $59 and my account broke again, would I have to pay again? You bet!

Hence: Shady.

 

[zEitEr]

Wildcard Certificates from startSSL are available for as low as $59.90:

StartSSL™ identity and organization validation are available for only US $ 59.90 each, where organization validation implies prior identity validation. Once validated, certificates are freely available through the advanced StartSSL™ Control Panel and unlimited for 350 days of the validated identity/organization.

https://www.startssl.com/?app=2

If I paid the $25 or the $59 and my account broke again, would I have to pay again? You bet!

Hence: Shady.

They allow authentication only through a free email cert, which you should keep active and validated. It expires every year. And of course without a valid cert you won't be able to login. That's why I've got 2-3 email certificates from them, which expire on different months.

Though I don't pay a cent to them I use their free certs and I'm rather happy with that.