regarding ssl certificates

Kostya Vasilyev kman at fastmail.com
Thu Mar 14 13:54:28 EET 2019


On Thu, Mar 14, 2019, at 2:51 PM, Nikolai Lusan via dovecot wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Hi,
> 
> So this question means you need to do some more reading about all SSL/TLS
> services.
> 
> On Thu, 2019-03-14 at 10:46 +0000, mick crane via dovecot wrote:
> > Excuse dopey question.
> > I'm not exactly clear about certificates.
> > Apache2 default install has this snake oil certificate
> > Can make a new one for apache
> > Can make one for dovecot
> > Can make one for ssl
> > Is there supposed to be the one (self signed ) certificate pair in one 
> > place for the machine that each process hands out ?
> > Can they be moved to another machine ?
> 
> In general you can have one certificate per hostname ('host.domain.com'),
> or you can have a wildcard certificate that is valid for
> '*.example.domain'. 

Or you can use one cert with additional hostnames (domains) in that single cert's subjectAltName's.

> The alternative to paid signed certificates is using letsencrypt 
> https://letsencrypt.org - they can do both individual certificates and
> wildcard certificates.

With letsencrypt these (single cert with subjectAltName's) are easier to validate than wildcards IIRC (http based vs. DNS based validation).

-- K


More information about the dovecot mailing list