Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » multiple SSL certificates and the reason why we need this
  •  
rbremer

Messages: 11
Karma: 1
Send a private message to this user
I know this has been discussed a number of times in this forum, however, I would like to share my experience in setting up Kerio Connect and why I have no choice but to wait for proper support of multiple certificates.

We are using two distinct mail servers with distributed domains set up. Besides POP3 we pretty much utilize all services provided by Kerio.

Hosting multiple domains will work with the following setup (considering SSL certificates):
tell your users to use server1.domain.com or server2.domain.com and use either wildcard certificates on both servers or an individual certificate holding the appropriate server name.

However, as soon as I follow the recommendation by Kerio, things get more complicated.

If you use Activesync and install a profile into the iPhone, the profile gets signed with the server key, which does not equal to the domain (server: server1.domain.com, domain: domain.com) so the iPhone will complain about not able to verify the profile.
Communication to the HTTPS server will still be valid without any issues.

You could circumvent this issue by using a wildcard certificate *.domain.com. But not if you have more than one domain on the system. A wildcard certificate does not exist for more than one domain at a time.

But not if you use instant messaging.
When you configure IM and let your users download the appropriate installer (setup my Mac in the web client), it will create a messenger account with server1.domain.com as the servername, cool. But as soon as you follow the docs and add the SRV records to your domain to point the the server, the next user will get a setup with only the domain name in the server field and the checkbox "automatically find server" checked. Now this will no longer work with the certificate if using multiple domains.

We really need proper multiple certifcate handling in Kerio. We need to be able to select a certificate per service and IP. And yes, using more than one IP is crucial, cause in many cases you need to present the certificate when the connection gets set up and you don't know which server name the client did use. However, to sign a profile or installer you can use the appropriate certificate assigned to a domain.

We as administrators try really really hard to train our users in not accepting untrusted certificates or connections. Having to tell them, well, our internal servers are an exception, is where data security issues start.

Any feedback is greatly appreciated.

Ronny
  •  
kerio-newbie

Messages: 1
Karma: 0
Send a private message to this user
I had the same question as you.

Would a possible solution be to having multiple domains in a single SSL certificate by using an Unified Communications Certificate?

Thanks!
  •  
mlee (Kerio)

Messages: 246
Karma: 16
Send a private message to this user
FYI there is an ongoing case opened for this suggestion. I have added this post to it, hope it helps.

M.

PTSD. BP. OCD. ASPD. BPD. Certified.
  •  
rbremer

Messages: 11
Karma: 1
Send a private message to this user
It could, but every time you add a new domain you need to buy a new certificate incorporating all domains plus the server names themselves. This is very expensive and (for those who are affected) the maximum number of SAN per certificate is 25.

And now go ahead and think about those, running client views inside of DNS. internal server names are different from external server names. Smile
  •  
rbremer

Messages: 11
Karma: 1
Send a private message to this user
mlee (Kerio) wrote on Tue, 07 October 2014 03:54
FYI there is an ongoing case opened for this suggestion. I have added this post to it, hope it helps.

M.


Thank you! I really appreciate it.

Ronny
Previous Topic: automatically add email-directory
Next Topic: Distributed Domain and Webclient login
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon May 29 02:12:22 CEST 2017

Total time taken to generate the page: 0.01000 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.