BTW, you can get free certificates from http://cacert.org (no affiliation except as a user), though the first time your users see them they may have to answer a pop-up about a "funny" certificate.
(My experience is that most users just click OK and don't give it much thought. The ones who do think about it tend to be more sophisticated anyhow, so they can sort it out rather than just switching off the computer in a panic and watching TV for the rest of their lives.)I personally use RapidSSL (from a company call Trustico in the UK.)
They cost around £9 per year per domain, and are recognised by major browsers so no warning messages about untrusted certificates. The only downside is they don't give any organisational information out (except that the certificate owner has been verified.)
I'm experimenting with a godaddy multiple domain cert (they call them UCC certs). It works out at a couple of pounds per domain per year, so pretty affordable. So far the process seems straightforward. Notes to self:
- Request the cert with your company name in the requestor account details (check spelling carefully to prevent delays).
- Generate the cert request with your official company name in the Organisation (check spelling) and any trading name in the OrgUnit section, CN=main.domainname.com.
- Then you can add extra domain names on the godaddy website
- All the extra names are checked as belonging to you solely based on the company name (from Organisation entry) being in the whois info (so update whois 24 hours before if necessary). Emails are sent to the whois links, so also check they are correct
- Cert comes back as a chained cert, so you need to do the following:
- "cat new.godaddy.crt gd_intermediate_bundle.crt > /etc/ssl/dovecot/server.pem"
- The godaddy instructions create a key file with a password, either remove the "-des" option or remove the password with: "openssl rsa -in godaddy.key -out /etc/ssl/dovecot/server.key"
So far this seems to allow me to use multiple domain names (at totally different domains) to contact my server - for my needs this is better than a wildcard because I can have mail.domain1.com and mail.domain2.com without any problems
Hope this helps
Ed W