Organization Validated (OV) Certificate for 2 domain

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
edisu
Posts: 30
Joined: Fri May 01, 2020 3:25 am

Organization Validated (OV) Certificate for 2 domain

Postby edisu » Thu Jan 28, 2021 11:31 pm

Hi, currently we have a single server zimbra v9 network edition with 2 domain on it (eg. domain1.com, domain2.com), we are planning to buy commercial certificate for both domain. My question is which type of certificate will work my zimbra server, can i use 2 OV certificate will it work on zimbra server? or can i use Multi-SAN certificate? If i choose OV certificate how can i install these 2 certificate on my zimbra server?

Which type of certificate is easy to manage, install and not complex? What is the advantage and disadvantage of OV and Multi-SAN Certificate?


User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 593
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.8.15_P21 RHEL6 Network Edition
Contact:

Re: Organization Validated (OV) Certificate for 2 domain

Postby JDunphy » Fri Jan 29, 2021 7:21 pm

edisu wrote:Which type of certificate is easy to manage, install and not complex? What is the advantage and disadvantage of OV and Multi-SAN Certificate?

I have no experience with either but I have a few comments that might help you in determine what to look for.

The certificate that is easiest to manage is one you don't manage. That is letsencrypt for us or those CA's that can issue a certificate via some protocol like acme to make this seamless. When you only do something every year or two then you could have issues as process changes or you forget how you did it and even outages and user confusion should a cert expire. I renew every 30-60 days and it became so transparent that I had to write a script to alert me prior to the renewal because we once had a zimbra problem with restart where Postfix was not running but zmcontrol said it was running ... that bug was reported and fixed by zimbra a few years ago.

Next is the security...PKI is what it is. I don't completely trust it and it is only as good as the parties that can sign it. If a sub to a sub signs and issues a cert for your domain and they trick your user into believing it's real because it says "secure" or has a lock in a browser. How do you know for your domain? I get transparency reports in 1-2 mins after I issue a certificate with letsencrypt from cloudflare that is monitoring those CA transparency logs. So a 3rd party alerts me to a certificate being issued for my domains. I also do the following in my zone files for my domains that have certs. Some browsers and CA's will support this so it's better than nothing.

Code: Select all

https://support.dnsimple.com/articles/caa-record/
; generator: https://sslmate.com/labs/caa/
             CAA 128 issue "letsencrypt.org"

What would a user see for various certificates issued and these different cert types? Unless they are sophisticated probably the same lock or secure for any certs so this is browser or MUA specific. If they go diving into a certificate than yea they can tell but they might not understand the nuances of why one cert is better. So for me, I like CA's that use transparency logs for our cert and follow CAA since browsers/CA vendors are working hard on this problem also.

Years ago, it made sense to issue certificates for years and years because navigating through this process was difficult. That isn't the case anymore. Safari and other browsers have changed recently so 1 year is about as long a certificate as they will honour. What happens if they move to 6 months to faster? Did those CA's that issued 2 year certs notify their customers with new 1 year certs?

That is my current reasoning for keeping it simple but making sure everything is https and A+ ratings with sslabs for the MUA's in our client pool that access Zimbra.

If I was a bank and was writing an app then maybe I would use a higher grade certificate that my app could key off but that isn't the case here unless I am missing something. Feature request for zimbra perhaps. ;-)

There is an advantage to issue a cert for 1 year... you don't take an outage as often as those issued every 60 days. The problem is that Zimbra's monthly update process can negate that win when they require a restart. With the exception of mailboxd, every other daemon (ldap.postfix,nginx) can reload a certificate so you don't have to do a stop/start when you renew a cert. This isn't well tested by me and that may not be the case anymore. Another advantage to vendor provided certs is you don't install additional software and use only the tools that exist to issue and reissue your certs. That last concept kind of explains why I chose my current method for letsencrypt installation that is a single bash script. I didn't want to support extra libraries or programming language versions. They use the openssl tool chain just like Zimbra does to issue the CSR.

Perhaps share what strengths and features you believe OV and multi-SAN offer that a simpler certificate doesn't. I don't claim to have much of a background in this and other than stronghold in the past (very early days) and have no experience with any of the current CA's and their products but am eager to update my process when better solutions and ideas exist.

HTH,

Jim
edisu
Posts: 30
Joined: Fri May 01, 2020 3:25 am

Re: Organization Validated (OV) Certificate for 2 domain

Postby edisu » Thu Feb 04, 2021 1:53 pm

Thanks for the reply

Return to “Administrators”

Who is online

Users browsing this forum: Baidu [Spider], Woodd and 17 guests