SSL Certificates for eMail Gateway

Posted on 2012-08-27
Last Modified: 2012-09-02
I'll be deploying a new email gateway named “”.  It will be accessible from 3 different public IPs.  So, MX records will list smail, smail2, and smail3 in descending preference.  I would like to deploy it with an SSL cert for all 3 names, but I am fairly certain that you cannot deploy a host with 3 SSL certs.  My thought is to use a wild-card SSL cert, but will this even work?  All advice is appreciated.

As well, for a host handling TLS, HTTPS, and SMIME, are there any particulars I need for the cert?
Question by:whoam
    LVL 50

    Accepted Solution

    You can deploy a host with three SSL certificates, but there are some caveats to it working properly.  In the old-school method, each certificate must be bound to a unique IP/port combination.  If your host has three IPs, no issues.  With newer methods, you can use SNI to bind multiple certificates to the same unique IP/port, but I am only aware of that functionality in the context of Apache.  I'm not sure that is available through email server platforms.

    A wildcard certificate will certainly do the job admirably, and is what I use for my own mail and web servers.  Instead of purchasing three SSL certs, you purchase one and use it on any host within the domain.  There are no technical limitations of this strategy (at least, none of which I am aware), and it works seamlessly.

    As far as particular needs for the cert, you want one with an assigned function of identification - the default role of almost every commercially available certificate.  To get any roles other than that, you would need a specific request to the provider.  The default function should serve just fine for web and email service.

    Author Comment

    Hmmm, so attaching a certificate to the mail gateway of * would allow it to respond to TLS/SSH conversations for and/or and/or without a certificate error?  Just making sure before I send out the CSR.  Also, in Apache, how do you do a CSR for a wildcard cert?

    LVL 50

    Assisted Solution

    by:Steve Bink
    That is correct.  You create the CSR for a wildcard cert in exactly the same manner as a "normal" cert.  The only difference is that the common name should be "*" instead of "".

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    We've all had that page pop up telling us there is a problem with the certificate and some of us continue on anyways and others run away to a safer competing site.  But what to do when you get the error - is it your problem or theirs?  What can you …
    Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
    This video discusses moving either the default database or any database to a new volume.
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now