Re: [exim] Locally Sign certificates

Kebba Foon wrote:
> Hi List,
>
> is it advisable to sign your own certificates to use on a production
> environment?
>
>
>

IMNSHO, depends more on your client count and type than on the mechanics
of the cert and ca.

- server-to-server SSL/TLS transfers do not ordinarily 'care' about the
credentials of the ca unless TOLD to do so (still rare).

- end-user MUA submission (and POP/IMAP recovery - not Exim issues, but
MAY use same certs), DO 'care', at least the first time, and sometimes
EVERY time.

- If you serve one or a few multi-seat user groups with slow/low staff
turnover such as SOHO, SME, where one set of training and instructions
as to how to configure tha MUA(s) to accept a self-signed cert are
low-hassle and low support workload/cost? Self-signed will work fine.

- If you are a sizable ISP, ISP-like portal, or otherwise have a larger
user community, higher turover, harder time 'reaching' users to explain
MUA configuration ... then the relatively small cost of open/community
or for-fee commercial cert & ca becomes cheaper than support workload
costs 'Real Soon Now'.

Starting with a self-signed and switching to one from a recognized CA
if/as/when you hit the point where it justifies the cost is probably as
good a way forward as any other..


Bill