Zimbra 5.x and the SSL/TSL Certificate

[todd_dsm]

Hey all, newb on deck- I have a multi-parter...

First, I've done some nosing around the net to find any USEFUL resource that can explain the relevance of the SSL/TSL Certificate 'Self-generated vs. External' (verisign, thawte, startcom, etc). If anyone knows of an educational piece on this I would be grateful. I'm really only interested in SSL/TSL as it applies to email and what's required by the IMAP-related entries in the RFC's. To further refine, what Zimbra works best with.

Second, I've already started a relationship with Startcom. They are an Israeli ISP that makes their own linux distro and gives away freebie SSL/TSL certificates.

a) why would anyone want to get a certificate from an outside source when they could gen one of their own?

b) what's the effective difference in getting one from Startcom as opposed to a Verisign? (besides a comfort level) and

c) are there SSL/TSL Certs that Zimbra has a problem with? I noticed that there were no results returned when I entered Startcom into the search field. I'm wondering if I'm so new at this that Startcom is taking me for a ride and everyone else is smart enough not to deal with them. I can't imagine I'm the first one to stumble on them?!?!

If there's a better place for this let me know.


Thanks in advance,
todd_dsm

Don't forget to Vote for this RFE:
RFE: A place To Display the contents of 'My Documents'
Reasoning: It's new, bold, and cool.

[brian]

Quote:

Originally Posted by todd_dsm

Hey all, newb on deck- I have a multi-parter...

First, I've done some nosing around the net to find any USEFUL resource that can explain the relevance of the SSL/TSL Certificate 'Self-generated vs. External' (verisign, thawte, startcom, etc). If anyone knows of an educational piece on this I would be grateful. I'm really only interested in SSL/TSL as it applies to email and what's required by the IMAP-related entries in the RFC's. To further refine, what Zimbra works best with.

Second, I've already started a relationship with Startcom. They are an Israeli ISP that makes their own linux distro and gives away freebie SSL/TSL certificates.

a) why would anyone want to get a certificate from an outside source when they could gen one of their own?

b) what's the effective difference in getting one from Startcom as opposed to a Verisign? (besides a comfort level) and

c) are there SSL/TSL Certs that Zimbra has a problem with? I noticed that there were no results returned when I entered Startcom into the search field. I'm wondering if I'm so new at this that Startcom is taking me for a ride and everyone else is smart enough not to deal with them. I can't imagine I'm the first one to stumble on them?!?!

If there's a better place for this let me know.

Thanks, in advance, for the insights,

T

self-signed vs commercial certs really come down to trust and convenience. most browsers will complain about not being able to verify the cert authority of self-signed certs. This is fine if your users trust you, your site and they don't mind the inconvenience of clicking a couple more OK dialog boxes to accept the warnings before logging in.

again not all browsers will have the root or intermediate servers for startcom so your users may need to install them or accept the unverifiable dialogs similar to the self-signed cert. I use startcom certs for my personal zcs email server and they work just fine, but I also only have a handful of users that I had to distribute the root certs to.

if you have a lot of clients and/or are running a public service (isp) you'll want a well known cert provider like thawte or verisign.