I am trying to wrap my head around a few things regading SSL certificates and maybe some of you can share your ideas or expertise. And maybe I can kick of a discussion about the future plans for SSL.
First off, I have been using StartSSL in the past and was very happy with them and their business model, but since Eddy Nigg has sold Startcom and Mozilla and others have revoked the trust for new startcom certs I have to look of alternatives. Any ideas? What are you using?
The beauty of startcom was that you only paid for the validation, not for the certificate. So I could make as many certs as I liked (and I did). Since we secure our whole infastruture with ssl and since we need certs for many services on each server, we needed wildcard certs anyway.
Now, looking for alternatives I had a closer look at Let’s Encrypt too. I don’t mind paying for certs but on the other hand I like some of the approaches Let’s Encrypt have taken. But they don’t offer wildcard certs. They say you should simply create a cert for each and every domain - which is cool and as soon as everything is fully automated is fine with me.
So if I want, I can create separate certs for all major services, like the panel, imap, pop. smtp and so on. But in the future we will have to secure other services too, like DNS for example. And also, are there any plans for implementing the service certs on Nodeworx via Let’s Encrypt too? And regarding the automation, is there an automated renewal in place right now (for siteworx, where Let’s Encrypt is already implemented) or is it planned? I didn’t find anything about that here…
But all that doesn’t work the way we resp. our clients usually handle domains anyway. The average customer has a few domains in one account and those domains are either redirected or serveraliases. But for serveraliases I can’t install a certificate, or can I? But serveraliases are important in some cases, e.g. in Wordpress multisite installations. The trend is to secure everything in the future and I am all for that. But with the current architecture this won’t be possible, right? Also, switching over to one IP per domain is neither practicable nor affordable, the same goes for creating an account for each domain. So we will still have to have several domains in one account and we will still have to use SNI. How then could we ever secure all domains via SSL?
To give one real world example, a company has 3 different domains company.com, company.fr and company.de. Since the website shouldn’t simply redirect to company.com but rather stay in the respective visitor’s language and domain, we would need to have a certificate for each domain, but the website should be in one account, it actually would be one website in 3 languages and some domain mapping. How can we do that? This problem is not linked to Let’s Encrypt though, it is a general problem I am seeing when thinking about how to handle SSL in the future. And let’s not forget http2 and TLS being made mandatory by most browsers.
Forgive my ramblings, but it helps me to think, if I write it all down and there are indeed a few questions in here too