regarding ssl certificates

Stephan von Krawczynski skraw.ml at ithnet.com
Thu Mar 14 13:40:12 EET 2019


On Thu, 14 Mar 2019 12:13:15 +0100
"Guido Goluke, MajorLabel via dovecot" <dovecot at dovecot.org> wrote:

> Op 14-03-19 om 11:46 schreef mick crane via dovecot:
> > Excuse dopey question.
> > I'm not exactly clear about certificates.
> > Apache2 default install has this snake oil certificate
> > Can make a new one for apache
> > Can make one for dovecot
> > Can make one for ssl
> > Is there supposed to be the one (self signed ) certificate pair in one 
> > place for the machine that each process hands out ?
> > Can they be moved to another machine ?
> >
> > mick
> >  
> 
> Apache, dovecot and Postfix can all use the same certificate, you do 
> need to configure each one to the location of the certificate though. 
> SSL is something else: apache, dovecot, postfix are all 
> services/programs. SSL is a protocol/way of encryption. Self-signed 
> means there is no Certificate Authority backing the legitimacy. Getting 
> a Let's Encrypt certificate (I recommend certbot) will get you a 
> legitime certificate, but only for the hostname (e.g. 
> web01.yourdomain.com) you provide it. This must be traceable to your 
> machine through DNS, so moving it to another machine would only work if 
> that machine would completely replace the old machine (domain name) and 
> the DNS is changed to point to your new IP address (or the old machine 
> gets taken out of 'the air' and the new machine gets the old one's IP 
> address).
> 
> Best.
> 
> MajorLabel

Sorry I have to write this, but this is again pointing people in a fake
security direction.
The only valid authority for a certificate is the party using it. Any third
party with unknown participants cannot be a "Certificate Authority" in its
true sense. This is why you should see "Let's Encrypt" simply as a cheap way
to fake security. It is a US entity, which means it _must_ hand out all
necessary keys to fake certificates to the US authorities _by law_.
Now probably you can imagine why they are giving the certificates out for
free. US authorities can compromise all of them - without any "open knowledge".
It would be dead easy to prevent this fake for the guys at mozilla or google
(for the web), but they don't. All that is needed is a trivial DNS-based way
to check self-signed certificates at the corresponding domain, let's say some
host pointed to by a SRV entry.
If you think DNS (not DNSSEC which has the same immanent problem) can be
compromised too, well, yes, but then the access to hosts in that domain will
be compromised anyway and a certificate will not save you at all. 
</offtopic>

-- 
Regards,
Stephan



More information about the dovecot mailing list