Issuing my own certificates

Discussion in 'General' started by LaxSlash1993, Sep 29, 2015.

  1. LaxSlash1993

    LaxSlash1993 New Member

    Ok.... so I've admittedly never fooled around with SSL before but after installing ISPConfig 3, I'm looking into it a little bit before going into production to see if I want to act as a CA of sorts as well.

    Hoping to get some answers from some other webhosts here, but:
    - Is your certificate for Mail, FTP and the panel self-signed or verified? Right now, I have the self-signed ones in place for all three services, but I'm wondering if I should really invest in the trusted/verified certificates for those three services - is it really all that important to get a cert from VeriSign or someone like that? If so, what's the cheapest and most painless that I can get for commercial use?

    - Do you issue your clients certificates as your own CA free of charge or with a charge? Is this legal? Obviously I'm not/wouldn't be a "Trusted Root CA," but I could provide the certs for someone that's running their own little personal website, couldn't I?

    - So say I did get a trusted certificate for my SMTP Server, If someone connected via their domain to my server, for example mail.someclient.tld, would they need their own seperate certificate or would mine still be trusted for them?

    - I'm confused on non-trusted vs. self-signed. My FTP Certificate, for example, is issued by the same entity that holds it. That's self-signed. But now, say that I setup a CA with everything the same, except for an Organizational Unit of say "SSL Certs Dept." and then issue one for my FTP Server with an Organization Unit of "FTP" - does that still count as a self-signed certificate? And if not, will it be trusted by web-browsers/mail clients/FTP Clients/etc?

    Asking here because the more that I read into it, the more confused I get and the more questions I have.

    Edit: Ok, after a bit more research, I found this:

    Now, provided that I truly have to go the route of buying one. That begs two questions -
    - Which one do I get to support all of my services, ie: mail.myhost.tld, www.myhost.tld, myhost.tld:8080, etc? Keep in mind that I plan on doing this commercially, so does that change my requirements for what I'd need?
    - Is forming my own CA to issue clients (free) certificates for their websites still okay, or is it advised against?
    Last edited: Sep 29, 2015
  2. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    If you are looking for non-selfsigner-certs and you donĀ“t need a wildcard-cert, have a look at startssl. They offer class1-certs for free. But you need a cert for ftp, mail, www and so on if you use ftp.doman oder mail.domain to access the service.
  3. LaxSlash1993

    LaxSlash1993 New Member

    So I can use Class 1 as a web host for other people/for my server to secure those services and I don't need a Class 2 or 3?
  4. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    You can ask the guys from startssl if you should create individual accounts for different "site-holders". The class1-cert does not requiere any real verfication and is for free.
  5. LaxSlash1993

    LaxSlash1993 New Member

    I found out that I can get a Wildcard one for a decent price from Namecheap. Not going with StartSSL because it looks like my personal information would go on the cert - but looking at that site helped clear a few other things up for me that I had questions about. Thanks for the suggestion.
  6. sjau

    sjau Local Meanie Moderator

    I still hope a Let's Encrypt module for ISPConfig will come out :)
    Let's Encrypt starts offering general certs in november (last I've heard).
    That would solve all the ssl issues. I tend to think ISPConfig should then even use/create ssl certs by let's encrypt by default :)

Share This Page