Solved: Security certificates - how much to I need to spend?

All,

With the generous help of people on this forum, my new server is up and running. However, I am having a few challenges with respect to security certificates.

To get Outlook email working, I had to install my self-signed certificate. This is not a big deal. To access webmail.domain.tld, I am again being asked to grant a security exception. Again, not a big deal.

It seems to me that I could avoid all of this if I purchased a security certificate, however, most are quite expensive. My registrar, namecheap.com, does sell an inexpensive one, see https://www.namecheap.com/ssl-certificates/comodo/positivessl-certificate.aspx, but I am not sure if this suffices. This certificate seems to work for a single domain only, i.e., something.domain.tld. The wildcard version, i.e., *.domain.tld, costs more than 10 times the cost of this certificate.

As an aside, I do not plan on offering any products for sale, etc., so the certificate would be for ‘internal’ purposes only. What are your recommendations?

I’m using the certificate authority “StartSSL” (www.startssl.com). You get free Class-1 (email/domain validated) certs there. If you need Class-2 (identity validated, allows you to create wildcart certs and multi-domain certs) you pay a fee of $59 for the validation (which is good for one year), and that enables you to create as many certs (valid for two years each) as you want.

Locutus,

Thanks for the reply. I think that I am most of the way to having this issue resolved. (And note, it is (I think) a minor issue since there are work-arounds).

I followed the instructions here http://www.virtualmin.com/documentation/id,ssl_and_virtualmin/ to install the certificate and those on the StartSSL website.

I was able to verify that this process worked (at least in part) because I created a MS Outlook account and did not receive the warning message, “The server you are connected to is using a security certificate that cannot be verified.”

I then deleted the security exceptions contained within Firefox and restarted the browser. When I tried to access the virtualmin control panel, I received the, ‘This connection is untrusted’ warning. This led me to this set of instructions, https://www.startssl.com/?app=21, which I followed, but problem persists.

What step did I miss?

Howdy,

You may need to add a “CA Certificate”. Not all SSL certs require that, but many do, especially the less expensive ones.

You can add that in Server Configuration -> Manage SSL Certificate -> CA Certificate.

Also, find this site here helpful in diagnosing SSL certificate problems:

http://www.sslshopper.com/ssl-checker.html

Eric,

Thanks to the pointer to http://www.sslshopper.com/ssl-checker.html. This made the problem quite obvious - the free certificate is for domain.tld and mail.domain.tld only. The domain which caused the problem is admin.domain.tld - this makes sense.

So, I need to create an exception or pay money for a wildcard certificate. I think I know which route I will be taking…