BTW, you can get free certificates from http://cacert.org (no
affiliation except as a user), though the first time your users see
them they may have to answer a pop-up about a "funny" certificate.
(My experience is that most users just click OK and don't give it
much thought. The ones who do think about it tend to be more
sophisticated anyhow, so they can sort it out rather than just
switching off the computer in a panic and watching TV for the rest of
their lives.)
I personally use RapidSSL (from a company call Trustico in the UK.)
They cost around £9 per year per domain, and are recognised by major
browsers so no warning messages about untrusted certificates. The
only downside is they don't give any organisational information out
(except that the certificate owner has been verified.)
I'm experimenting with a godaddy multiple domain cert (they call them
UCC certs). It works out at a couple of pounds per domain per year, so
pretty affordable. So far the process seems straightforward. Notes to
self:
- Request the cert with your company name in the requestor account
details (check spelling carefully to prevent delays).
- Generate the cert request with your official company name in the
Organisation (check spelling) and any trading name in the OrgUnit
section, CN=main.domainname.com.
- Then you can add extra domain names on the godaddy website
- All the extra names are checked as belonging to you solely based on
the company name (from Organisation entry) being in the whois info (so
update whois 24 hours before if necessary). Emails are sent to the
whois links, so also check they are correct
- Cert comes back as a chained cert, so you need to do the following:
- "cat new.godaddy.crt gd_intermediate_bundle.crt >
/etc/ssl/dovecot/server.pem"
- The godaddy instructions create a key file with a password, either
remove the "-des" option or remove the password with: "openssl rsa -in
godaddy.key -out /etc/ssl/dovecot/server.key"
So far this seems to allow me to use multiple domain names (at totally
different domains) to contact my server - for my needs this is better
than a wildcard because I can have mail.domain1.com and mail.domain2.com
without any problems
Hope this helps
Ed W