| multiple SSL certificates and the reason why we need this [message #116519] |
Mon, 06 October 2014 18:56  |
rbremer
Messages: 11
Registered: October 2014
|
|
|
|
I know this has been discussed a number of times in this forum, however, I would like to share my experience in setting up Kerio Connect and why I have no choice but to wait for proper support of multiple certificates.
We are using two distinct mail servers with distributed domains set up. Besides POP3 we pretty much utilize all services provided by Kerio.
Hosting multiple domains will work with the following setup (considering SSL certificates):
tell your users to use server1.domain.com or server2.domain.com and use either wildcard certificates on both servers or an individual certificate holding the appropriate server name.
However, as soon as I follow the recommendation by Kerio, things get more complicated.
If you use Activesync and install a profile into the iPhone, the profile gets signed with the server key, which does not equal to the domain (server: server1.domain.com, domain: domain.com) so the iPhone will complain about not able to verify the profile.
Communication to the HTTPS server will still be valid without any issues.
You could circumvent this issue by using a wildcard certificate *.domain.com. But not if you have more than one domain on the system. A wildcard certificate does not exist for more than one domain at a time.
But not if you use instant messaging.
When you configure IM and let your users download the appropriate installer (setup my Mac in the web client), it will create a messenger account with server1.domain.com as the servername, cool. But as soon as you follow the docs and add the SRV records to your domain to point the the server, the next user will get a setup with only the domain name in the server field and the checkbox "automatically find server" checked. Now this will no longer work with the certificate if using multiple domains.
We really need proper multiple certifcate handling in Kerio. We need to be able to select a certificate per service and IP. And yes, using more than one IP is crucial, cause in many cases you need to present the certificate when the connection gets set up and you don't know which server name the client did use. However, to sign a profile or installer you can use the appropriate certificate assigned to a domain.
We as administrators try really really hard to train our users in not accepting untrusted certificates or connections. Having to tell them, well, our internal servers are an exception, is where data security issues start.
Any feedback is greatly appreciated.
Ronny
|
|
|
|
|
|
|
|
| Re: multiple SSL certificates and the reason why we need this [message #116536 is a reply to message #116521] |
Tue, 07 October 2014 09:16  |
rbremer
Messages: 11
Registered: October 2014
|
|
|
|
It could, but every time you add a new domain you need to buy a new certificate incorporating all domains plus the server names themselves. This is very expensive and (for those who are affected) the maximum number of SAN per certificate is 25.
And now go ahead and think about those, running client views inside of DNS. internal server names are different from external server names. 
|
|
|
|
|
|
Members
Search
Help
Register
Login
Home
