[TriLUG] Re: Self Signed CA for mail server

Jon Carnes jonc at nc.rr.com
Thu May 6 17:49:20 EDT 2004


On Thu, 2004-05-06 at 16:13, spain at ncssm.edu wrote:
> Is the reason you would want to do a self signed CA for a secure mail
> server that hosts multiple domains so when users connect thru POP or
> IMAP SSL, they domain name will match instead of having one blanket
> Cert that may not match each domain?
>  
No.

The reason to run a self-signed CA is so that you can have multiple
machines running self-generated Certs and only have your domain users
download one cert to read/accept them all.  Once they accept your CA as
an authorized authority, then a they will also accept every cert that
you sign.

You can then enable SSL for every server (with their own certificate)
and not have to pay anyone a cent.  This is very useful for larger
spread out organizations like schools and universities.  Most folks just
want to use SSL for the secure transport - they don't need the ip
authentication (though they get that as well as long as they run a
secure setup and don't hand out certs before doing some form of security
audit of the request).

Jon Carnes




More information about the TriLUG mailing list