On Thu, Mar 14, 2019, at 2:51 PM, Nikolai Lusan via dovecot wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi,
So this question means you need to do some more reading about all SSL/TLS services.
On Thu, 2019-03-14 at 10:46 +0000, mick crane via dovecot wrote:
Excuse dopey question. I'm not exactly clear about certificates. Apache2 default install has this snake oil certificate Can make a new one for apache Can make one for dovecot Can make one for ssl Is there supposed to be the one (self signed ) certificate pair in one place for the machine that each process hands out ? Can they be moved to another machine ?
In general you can have one certificate per hostname ('host.domain.com'), or you can have a wildcard certificate that is valid for '*.example.domain'.
Or you can use one cert with additional hostnames (domains) in that single cert's subjectAltName's.
The alternative to paid signed certificates is using letsencrypt https://letsencrypt.org - they can do both individual certificates and wildcard certificates.
With letsencrypt these (single cert with subjectAltName's) are easier to validate than wildcards IIRC (http based vs. DNS based validation).
-- K