Harondel J. Sibble wrote:
On 27 Sep 2008 at 13:22, mouss wrote:
if you have a commercial cert, you don't need a self signed cert. self signed certs are for people who don't want to get a cert signed by a 3d party (commercial or other). For email, you generally don't need a commercial certificate because your users know you and you know them, and because users don't connect to thousand imap servers.
Huh? I am looking to implement client side certificates which have to be installed on the end user device before they are able to connect to my mailserver.
sorry, I missed the "client" part.
but if you sign the client certificate, the commercial CA becomes irrelevant.
I already have a commercial cert on the mailserver so that's a moot point.
Secondly a client cert allows me to verify that the device connecting is allowed, this is secondary to any login info the user may have, ie 2 factor authentication, something you know (uid/password) and something you have (certificate).
Will you consider any certificate signed by the commercial CA as valid? if so, then you don't need to sign the certificates if you use only one CA.
what would be nice would be the support of a db of fingerprints (as in postfix) so that one can accept certificates independently of the CA, and only accept "authorized" ones.