mick crane wrote:
Apache2 default install has this snake oil certificate Can make a new one for apache
I won't go over some of the excellent points in previous posts, but I will mention SAN as a third type of certificate you can make. LetsEncrypt supports this type of certificate.
This is halfway between single CN and wildcard certificate where you can combine many hostnames (up to 1000?) into one certificate. This may be useful if you want the convenience of handling fewer certificates, without having an unbounded wildcard certificate (the latter also requires control over your DNS). I use this for SMTPAUTH, POP3, IMAP and webmail services since they are all on one server.
Then Stephan von Krawczynski wrote:
Sorry I have to write this, but this is again pointing people in a fake security direction. The only valid authority for a certificate is the party using it. Any third party with unknown participants cannot be a "Certificate Authority" in its true sense. This is why you should see "Let's Encrypt" simply as a cheap way to fake security. It is a US entity, which means it _must_ hand out all necessary keys to fake certificates to the US authorities _by law_. Now probably you can imagine why they are giving the certificates out for free. US authorities can compromise all of them - without any "open knowledge".
Wow, you packed a lot of fear, uncertainty and doubt (and some misinformation) into one paragraph. I'll leave it at that.
Joseph Tam jtam.home@gmail.com