Using an SSL Certificate with Mail Server

v3
#1

Thank you all for making it so easy to set up a fully functional, multi domain email system.

I have it set up and working via both the webmail interface and using the IMAP and SMTP settings for mail clients.

My question is this, I keep getting messages regarding “the identity of example.com cannot be identified.”

I know this has to do with certificates but I was looking for advice on which one I should buy and how to set it up.

My set up is 1 WordPress Multi-Site install with subdomains for each site. I then have domain mapping set up to map the subdomains to the appropriate domain names and I have all of this set within my DNS records. All is working fine and as expected.

I was hoping that there would be 1 certificate that I could install that would secure all of my sites, subdomains etc.

I’ve been looking at Wildcard SSL Certs and Multi-Domain SSL certs.

Is this possible?

Thanks in advance.

#2

Hi, If you are going with wildcard SSL then it covers *.example.com, and if you go with Multi Domain SSL then it will cover like 1.com, 2.com, but It will not cover you have to add sub-domain manually.

You can check following link for SSL certificate comparison: http://www.sslshopper.com/ssl-certificate-comparison.html?ids=76,90,104

#3

Thank you for your response.

So I suppose at this point my question is which one I need. Do I need a wildcard SSL as they’re initially setup on wildcard addresses or do I need multi domain one as that is ultimately the address that the end user will be accessing?

#4

@magichew, As your server is going to accessed by EndUser, you will require multidomain certificate.

#5

I would like to clarify a point regarding wildcard v/s multi-domain certificates…

Wildcard is useful when you want to protect all subdomains under a single top-level-domains. e.g.

  1. foo.example.com
  2. bar.example.com
  3. foo.bar.example.com
  4. *.example.com (i.e. any subdomain under example.com)

While multi-domain can protect subdomain, domain and any kind of mix. Limit is often depends on amount you pay like 5-domains certificate, 20-certificates, etc,

  1. foo.example.com and bar.example.com count as 2 domains in this case.
  2. example.com, another.com, google.com, facebook.com - any valid domain can be added to pack as long as total number of domains are limited.
  3. *.example.com will not work under multidomain certs.

Multi-domain certificate requires more administrative work. You may read - https://rtcamp.com/wordpress-nginx/tutorials/ssl/multidomain-ssl-subject-alternative-names/

#6

The information the rtCamp provides is outstanding! Thank you very much!

#7

Sorry to bring this back up but I’m struggling to get sorted.

I’ve purchased a multi domain SSL cert from NameCheap for 4 domains.

As I’ve mentioned before I have a WordPress network of sites. They are initially installed on a sub-domain basis but then mapped to their own domains via the domain mapping plugin.

I would like to secure these sites but I would also like to secure the mail element for these sites.

webmail.sitea.com webmail.siteb.com webmail.sitec.com webmail.sited.com

But particularly the subdomains that are required for mail collection and delivery from email clients such as the mail.app on iPhone and Mac. gpo.sitea.com, mail.site.com

Do I have the necessary certificate to make this happen or do I need additional certs?

#8

Did you buy ssl for sitea.com siteb.com sitec.com sited.com? If yes then that ssl won’t cover webmail.sitea.com webmail.siteb.com webmail.sitec.com webmail.sited.com

Can you explain us more deatils on this?

#9

Yes. I’ve bought the cert for the 4 domains. I thought that this would cover me. How can I secure domains and subdomains?

The main reason that I’m aware of needing to secure the subdomains for the mail is that I get the message

The identity of “gpd.sitea.com” cannot be verified" The certificate for this server is invalid. You might be connecting to a server that is pretending to be “gpo.sitea.com” which could put your confidential information at risk. Do you want to connect to the server anyway."

when trying to access mail via a client…

Now I do understand this message and understand that clicking connect anyway will make it work but this is not good for my clients. I would like to secure this so that the client doesn’t see this.

#10

@magichew

From previous post this will help you :smile:

#11

Okay. So I need a multi domain cert and a wildcard cert for each domain? Can I have all of these certs running together?

#12

You need to have different server block for different certificates.

ssl_certificate directive doesn’t work inside if block so you cannot map a server block to multiple certificates.

#13
#15
#16

Hi @magichew

It’s been a long time, and we haven’t heard from you. It looks like your issue is resolved.

I am closing this support topic for now. Feel free to create a new support topic if you have any queries further. :slight_smile:

#17