On Thu, 14 Mar 2019 12:13:15 +0100 "Guido Goluke, MajorLabel via dovecot" dovecot@dovecot.org wrote:
Op 14-03-19 om 11:46 schreef mick crane via dovecot:
Excuse dopey question. I'm not exactly clear about certificates. Apache2 default install has this snake oil certificate Can make a new one for apache Can make one for dovecot Can make one for ssl Is there supposed to be the one (self signed ) certificate pair in one place for the machine that each process hands out ? Can they be moved to another machine ?
mick
Apache, dovecot and Postfix can all use the same certificate, you do need to configure each one to the location of the certificate though. SSL is something else: apache, dovecot, postfix are all services/programs. SSL is a protocol/way of encryption. Self-signed means there is no Certificate Authority backing the legitimacy. Getting a Let's Encrypt certificate (I recommend certbot) will get you a legitime certificate, but only for the hostname (e.g. web01.yourdomain.com) you provide it. This must be traceable to your machine through DNS, so moving it to another machine would only work if that machine would completely replace the old machine (domain name) and the DNS is changed to point to your new IP address (or the old machine gets taken out of 'the air' and the new machine gets the old one's IP address).
Best.
MajorLabel
Sorry I have to write this, but this is again pointing people in a fake security direction. The only valid authority for a certificate is the party using it. Any third party with unknown participants cannot be a "Certificate Authority" in its true sense. This is why you should see "Let's Encrypt" simply as a cheap way to fake security. It is a US entity, which means it _must_ hand out all necessary keys to fake certificates to the US authorities _by law_. Now probably you can imagine why they are giving the certificates out for free. US authorities can compromise all of them - without any "open knowledge". It would be dead easy to prevent this fake for the guys at mozilla or google (for the web), but they don't. All that is needed is a trivial DNS-based way to check self-signed certificates at the corresponding domain, let's say some host pointed to by a SRV entry. If you think DNS (not DNSSEC which has the same immanent problem) can be compromised too, well, yes, but then the access to hosts in that domain will be compromised anyway and a certificate will not save you at all. </offtopic>
-- Regards, Stephan