regarding ssl certificates

[Nikolai Lusan]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

So this question means you need to do some more reading about all SSL/TLS
services.

On Thu, 2019-03-14 at 10:46 +0000, mick crane via dovecot wrote:
> Excuse dopey question.
> I'm not exactly clear about certificates.
> Apache2 default install has this snake oil certificate
> Can make a new one for apache
> Can make one for dovecot
> Can make one for ssl
> Is there supposed to be the one (self signed ) certificate pair in one 
> place for the machine that each process hands out ?
> Can they be moved to another machine ?

In general you can have one certificate per hostname ('host.domain.com'),
or you can have a wildcard certificate that is valid for
'*.example.domain'. The "snakeoil" certificates that you refer to are
generally self signed certificates, and yes you can create as many self
signed certs as you want. You can pay someone to sign your certificates for
you (wildcards may, or may not, be more cost effective in this case. They
are certainly more portable). Signed certificates should match the
hostnames they are used for, this is where wildcard certificates are of
use. The alternative to paid signed certificates is using letsencrypt 
https://letsencrypt.org - they can do both individual certificates and
wildcard certificates.

There are pro's and con's for both paid and free signed certificates, but
you should use _a_ signed certificate for any TLS based service that
communicates with anything in the wild (i.e. non-internal services, public
mail servers, public web servers). Personally I use letsencrypt wildcards
with domain based authentication for automatic certificate renewal
(although distributing the certificates across servers can be an
"interesting" problem to deal with). 

- -- 
Nikolai Lusan <nikolai at lusan.id.au>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEVfd4GW6z4nsBxdLo4ZaDRV2VL6QFAlyKP/gACgkQ4ZaDRV2V
L6TswQ/9ERKEwSyy0aN0rS9axIB8bd5oGKBr3UhYY/rdsHaKj/c2PzbPHSoeyGFp
89ZRDChzrkwMqdDJTSzxYVA0+C4Vak0OKf3SUvHwCGdX4O2MDfPHXw5+4YDftjgn
oSaW2RmKmIQvfK8qKg4n8C+xDif54/20MwZaytSG/y7NikOt+3T8ph3UAO+HBD4G
7DMA/MKn0XX6pU8uhEbovU2ne4uUgl5FnncMcY9ibm8/4eEsqO5SU8DMwZtPG8Ux
4bPejIKf/L/5sFJw2wHI9vld3NTebklIK1eK1Vgw7en9Fmt/ydn+JXvxtDQa7YZS
gp0fN8r5SMiClrOvFkZVS3oJo2lklq+KJsMaD14l52HKmHZXNBUpZQI8dk/J+Q7c
m3liElPdTbZ+DK5c9koQqB8w49JfqWV9JFHhgY5WEntLvROarSOKn3GHy0DkDa6c
W2cQY8aOMM8FHsIqhsM0gKsNe8Q2aHPM/UoNJaWBrhoXnT/lEzUN3FNIbq7yj4cb
wXGQzZeFpcCaIb5SvMUl9yl8THZ2DpWsIFJOqYOmWMf1iiKLWu6bAh61sNYBWePQ
S+pwk55AOGQUf73ElpGBCJOjrLgt/ADIluNkO1fI9bKQQjSIQRfEX5LWQPLwz8z8
Z+cyZc2ufW6F+F13n1yHSFEYFwbjAIdM06dATbsrlNh7PyNYeFE=
=w9R4
-----END PGP SIGNATURE-----