-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi,
So this question means you need to do some more reading about all SSL/TLS services.
On Thu, 2019-03-14 at 10:46 +0000, mick crane via dovecot wrote:
Excuse dopey question. I'm not exactly clear about certificates. Apache2 default install has this snake oil certificate Can make a new one for apache Can make one for dovecot Can make one for ssl Is there supposed to be the one (self signed ) certificate pair in one place for the machine that each process hands out ? Can they be moved to another machine ?
In general you can have one certificate per hostname ('host.domain.com'), or you can have a wildcard certificate that is valid for '*.example.domain'. The "snakeoil" certificates that you refer to are generally self signed certificates, and yes you can create as many self signed certs as you want. You can pay someone to sign your certificates for you (wildcards may, or may not, be more cost effective in this case. They are certainly more portable). Signed certificates should match the hostnames they are used for, this is where wildcard certificates are of use. The alternative to paid signed certificates is using letsencrypt https://letsencrypt.org - they can do both individual certificates and wildcard certificates.
There are pro's and con's for both paid and free signed certificates, but you should use _a_ signed certificate for any TLS based service that communicates with anything in the wild (i.e. non-internal services, public mail servers, public web servers). Personally I use letsencrypt wildcards with domain based authentication for automatic certificate renewal (although distributing the certificates across servers can be an "interesting" problem to deal with).
Nikolai Lusan <nikolai@lusan.id.au> -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEVfd4GW6z4nsBxdLo4ZaDRV2VL6QFAlyKP/gACgkQ4ZaDRV2V L6TswQ/9ERKEwSyy0aN0rS9axIB8bd5oGKBr3UhYY/rdsHaKj/c2PzbPHSoeyGFp 89ZRDChzrkwMqdDJTSzxYVA0+C4Vak0OKf3SUvHwCGdX4O2MDfPHXw5+4YDftjgn oSaW2RmKmIQvfK8qKg4n8C+xDif54/20MwZaytSG/y7NikOt+3T8ph3UAO+HBD4G 7DMA/MKn0XX6pU8uhEbovU2ne4uUgl5FnncMcY9ibm8/4eEsqO5SU8DMwZtPG8Ux 4bPejIKf/L/5sFJw2wHI9vld3NTebklIK1eK1Vgw7en9Fmt/ydn+JXvxtDQa7YZS gp0fN8r5SMiClrOvFkZVS3oJo2lklq+KJsMaD14l52HKmHZXNBUpZQI8dk/J+Q7c m3liElPdTbZ+DK5c9koQqB8w49JfqWV9JFHhgY5WEntLvROarSOKn3GHy0DkDa6c W2cQY8aOMM8FHsIqhsM0gKsNe8Q2aHPM/UoNJaWBrhoXnT/lEzUN3FNIbq7yj4cb wXGQzZeFpcCaIb5SvMUl9yl8THZ2DpWsIFJOqYOmWMf1iiKLWu6bAh61sNYBWePQ S+pwk55AOGQUf73ElpGBCJOjrLgt/ADIluNkO1fI9bKQQjSIQRfEX5LWQPLwz8z8 Z+cyZc2ufW6F+F13n1yHSFEYFwbjAIdM06dATbsrlNh7PyNYeFE= =w9R4 -----END PGP SIGNATURE-----