On Tue, 2011-04-05 at 09:22 +0000, W B Hacker wrote: > Kebba Foon wrote:
> > Hi List,
> >
> > is it advisable to sign your own certificates to use on a production
> > environment?
> >
> >
> >
>
> IMNSHO, depends more on your client count and type than on the mechanics
> of the cert and ca.
>
> - server-to-server SSL/TLS transfers do not ordinarily 'care' about the
> credentials of the ca unless TOLD to do so (still rare).
Its for server-to-server transfers, it seems that there is a mail server
that wont talk on plain text to my server, it always want to do
starttls.
> - end-user MUA submission (and POP/IMAP recovery - not Exim issues, but
> MAY use same certs), DO 'care', at least the first time, and sometimes
> EVERY time.
Am not sure how to make the setting only do MTA to MTA and not with the
MUA(s), maybe there is a setting to turn this of. on my config am doing
tls_advertise_hosts = *
> - If you serve one or a few multi-seat user groups with slow/low staff
> turnover such as SOHO, SME, where one set of training and instructions
> as to how to configure tha MUA(s) to accept a self-signed cert are
> low-hassle and low support workload/cost? Self-signed will work fine.
>
> - If you are a sizable ISP, ISP-like portal, or otherwise have a larger
> user community, higher turover, harder time 'reaching' users to explain
> MUA configuration ... then the relatively small cost of open/community
> or for-fee commercial cert & ca becomes cheaper than support workload
> costs 'Real Soon Now'.
yea i have a few thousand users on my system currently, and been have
lots of trouble lately.
> Starting with a self-signed and switching to one from a recognized CA
> if/as/when you hit the point where it justifies the cost is probably as
> good a way forward as any other..
I will probably be testing this first with my self-sign certificate and
see how things turn our. >
> Bill
>
> Kebba
