Jeroen Massar wrote on 13.05.21 10:46:
On 2021-05-13 11:29, Andreas Fink wrote:
Hello all,
I need to get some SSL certificates for some african country operations and i can unfortunately not use letsencrypt for this.
Any reason? What are your requirements?
the mailserver I use, does not support ACME setup. I can only do old style SSL certificate requests. for the webserver its not an issue though.
Would ZeroSSL (https://zerossl.com) who also do ACME work?
No. ACME is the issue. And ZeroSSL is hosted in the US on cloudflare with a cloudflare SSL certificate. So by definition not DSGVO conform as NSA could theoretially infiltrate cloudflare to infliltrate all my certs etc. etc. It might be far fetched but since snowden, we know that many things we considered far far far fetched are not anymore.
(yes people, Let's Encrypt is not the only game... if you do ACME for your systems, also setup zero ssl and issue certs from both places at the same time, just in case LE ever has an issue, though that will be resolved rather quickly with 72% marketshare (https://ct.cloudflare.com)
Cloudflare's juristiction is definitively a red flag for me.
I was trying to get a certificate from Swissign for this but for some reason they refuse issuing certificates to domains for Guinea and Guinea Bissau
Do you need org validated or something that the country matters?
no. I simply need the domain be in that country. The holder of the domain can be myself in switzerland or one of the entities in Africa which is not on the blacklist (which is actually what I tried). Swisssign put the certificate under embargo because the domain ending contained .gw and .com.gn. Thats all. And I don't want to buy a domain for every mailserver separately, thats why I want a multidomain certificate. As it has to be renewed every years its painfully enough already.