Slightly OT: SSL certs - best practice?

[James O'Gorman]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

This question may be slightly OT for this list, but it does concern
securing services on my FreeBSD servers :-)

At the moment I have some existing (self-signed) SSL certs for Dovecot,
Exim and Apache. It's mostly only me that uses them for now, but I'm
planning on expanding that, so want to try and do things "right".

My real question is, should I have a separate SSL certificate for each
service, or can I just use one for all of them? Also, at the moment, the
Dovecot cert is for "*.netinertia.co.uk", but it can be accessed as
either mail.netinertia.co.uk, imap.netinertia.co.uk or
pop.netinertia.co.uk. Is this right, or should I just pick one (probably
mail) to be the "official" name? (Similarly, Exim has its certificate
set to mail.netinertia.co.uk, but can be accessed as smtp.netinertia.co.uk.)

I was thinking of just creating one wildcard certificate and using it
for all the above services, but I don't know if this is actually the
proper way of doing things!

Cheers,

James

PS - Once I've worked out how exactly I'm supposed to be doing this,
I'll probably get some "officially" signed certs. I hear CACert are a
good, free way of doing this. Anyone got any comments on that?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (MingW32)

iQEVAwUBRGkGT/8Z3wLA10m9AQLt3wf/RBAvhZ/B+t0L4XFqf3Jds44esvdDAhVw
Mvv1Qp9AfwnHImH/cAQpWAihcyK3dIs9KgOtpBsOxbBgPiJUX508Apn4e9IiCC/S
xh/OjqpdjnqyMc3r4gBJbMwn0DUXqd+E9wiod53RCxCqysedMxY76SrnUu0pkl7J
56p6xav6BWHZGWnFTdEo5u+W0BJTNe1KKm/zXwZ8a23ujIzhMwpzAw/Odf09obdz
/hfZ+C5e7OrGgFnDTbwLQkWSi4e3DGNnsWQ6aP2N4jvmze32wqIxo5UbHM3aeBPs
LOVCz/bUkR6cgDKnBt3FqYzxxq54JK48EB5qvrRD7BZlRZDii28t5w==
=rUCj
-----END PGP SIGNATURE-----