Excuse dopey question. I'm not exactly clear about certificates. Apache2 default install has this snake oil certificate Can make a new one for apache Can make one for dovecot Can make one for ssl Is there supposed to be the one (self signed ) certificate pair in one place for the machine that each process hands out ? Can they be moved to another machine ? mick -- Key ID C7D6E24C
On 3/14/19 11:46 AM, mick crane via dovecot wrote:> Excuse dopey question. > I'm not exactly clear about certificates. > Apache2 default install has this snake oil certificate > Can make a new one for apache > Can make one for dovecot > Can make one for ssl > Is there supposed to be the one (self signed ) certificate pair in one > place for the machine that each process hands out ? > Can they be moved to another machine ? > > mickNot a dovecot specific question, but I use the same certificate for apache, dovecot and postfix, for my domain name, on any number of machines, except they must all have the same hostname (they don't all have the same name at the same time). I see no difference between a self-signed certificate and a broken certificate. In both cases you have warnings in the browser/mail client. In both cases you need to hit the "accept anyway" button. Yassine.
Op 14-03-19 om 11:46 schreef mick crane via dovecot:> Excuse dopey question. > I'm not exactly clear about certificates. > Apache2 default install has this snake oil certificate > Can make a new one for apache > Can make one for dovecot > Can make one for ssl > Is there supposed to be the one (self signed ) certificate pair in one > place for the machine that each process hands out ? > Can they be moved to another machine ? > > mick >Apache, dovecot and Postfix can all use the same certificate, you do need to configure each one to the location of the certificate though. SSL is something else: apache, dovecot, postfix are all services/programs. SSL is a protocol/way of encryption. Self-signed means there is no Certificate Authority backing the legitimacy. Getting a Let's Encrypt certificate (I recommend certbot) will get you a legitime certificate, but only for the hostname (e.g. web01.yourdomain.com) you provide it. This must be traceable to your machine through DNS, so moving it to another machine would only work if that machine would completely replace the old machine (domain name) and the DNS is changed to point to your new IP address (or the old machine gets taken out of 'the air' and the new machine gets the old one's IP address). Best. MajorLabel
On Thu, 14 Mar 2019 12:13:15 +0100 "Guido Goluke, MajorLabel via dovecot" <dovecot at dovecot.org> wrote:> Op 14-03-19 om 11:46 schreef mick crane via dovecot: > > Excuse dopey question. > > I'm not exactly clear about certificates. > > Apache2 default install has this snake oil certificate > > Can make a new one for apache > > Can make one for dovecot > > Can make one for ssl > > Is there supposed to be the one (self signed ) certificate pair in one > > place for the machine that each process hands out ? > > Can they be moved to another machine ? > > > > mick > > > > Apache, dovecot and Postfix can all use the same certificate, you do > need to configure each one to the location of the certificate though. > SSL is something else: apache, dovecot, postfix are all > services/programs. SSL is a protocol/way of encryption. Self-signed > means there is no Certificate Authority backing the legitimacy. Getting > a Let's Encrypt certificate (I recommend certbot) will get you a > legitime certificate, but only for the hostname (e.g. > web01.yourdomain.com) you provide it. This must be traceable to your > machine through DNS, so moving it to another machine would only work if > that machine would completely replace the old machine (domain name) and > the DNS is changed to point to your new IP address (or the old machine > gets taken out of 'the air' and the new machine gets the old one's IP > address). > > Best. > > MajorLabelSorry I have to write this, but this is again pointing people in a fake security direction. The only valid authority for a certificate is the party using it. Any third party with unknown participants cannot be a "Certificate Authority" in its true sense. This is why you should see "Let's Encrypt" simply as a cheap way to fake security. It is a US entity, which means it _must_ hand out all necessary keys to fake certificates to the US authorities _by law_. Now probably you can imagine why they are giving the certificates out for free. US authorities can compromise all of them - without any "open knowledge". It would be dead easy to prevent this fake for the guys at mozilla or google (for the web), but they don't. All that is needed is a trivial DNS-based way to check self-signed certificates at the corresponding domain, let's say some host pointed to by a SRV entry. If you think DNS (not DNSSEC which has the same immanent problem) can be compromised too, well, yes, but then the access to hosts in that domain will be compromised anyway and a certificate will not save you at all. </offtopic> -- Regards, Stephan
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, So this question means you need to do some more reading about all SSL/TLS services. On Thu, 2019-03-14 at 10:46 +0000, mick crane via dovecot wrote:> Excuse dopey question. > I'm not exactly clear about certificates. > Apache2 default install has this snake oil certificate > Can make a new one for apache > Can make one for dovecot > Can make one for ssl > Is there supposed to be the one (self signed ) certificate pair in one > place for the machine that each process hands out ? > Can they be moved to another machine ?In general you can have one certificate per hostname ('host.domain.com'), or you can have a wildcard certificate that is valid for '*.example.domain'. The "snakeoil" certificates that you refer to are generally self signed certificates, and yes you can create as many self signed certs as you want. You can pay someone to sign your certificates for you (wildcards may, or may not, be more cost effective in this case. They are certainly more portable). Signed certificates should match the hostnames they are used for, this is where wildcard certificates are of use. The alternative to paid signed certificates is using letsencrypt https://letsencrypt.org - they can do both individual certificates and wildcard certificates. There are pro's and con's for both paid and free signed certificates, but you should use _a_ signed certificate for any TLS based service that communicates with anything in the wild (i.e. non-internal services, public mail servers, public web servers). Personally I use letsencrypt wildcards with domain based authentication for automatic certificate renewal (although distributing the certificates across servers can be an "interesting" problem to deal with). - -- Nikolai Lusan <nikolai at lusan.id.au> -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEVfd4GW6z4nsBxdLo4ZaDRV2VL6QFAlyKP/gACgkQ4ZaDRV2V L6TswQ/9ERKEwSyy0aN0rS9axIB8bd5oGKBr3UhYY/rdsHaKj/c2PzbPHSoeyGFp 89ZRDChzrkwMqdDJTSzxYVA0+C4Vak0OKf3SUvHwCGdX4O2MDfPHXw5+4YDftjgn oSaW2RmKmIQvfK8qKg4n8C+xDif54/20MwZaytSG/y7NikOt+3T8ph3UAO+HBD4G 7DMA/MKn0XX6pU8uhEbovU2ne4uUgl5FnncMcY9ibm8/4eEsqO5SU8DMwZtPG8Ux 4bPejIKf/L/5sFJw2wHI9vld3NTebklIK1eK1Vgw7en9Fmt/ydn+JXvxtDQa7YZS gp0fN8r5SMiClrOvFkZVS3oJo2lklq+KJsMaD14l52HKmHZXNBUpZQI8dk/J+Q7c m3liElPdTbZ+DK5c9koQqB8w49JfqWV9JFHhgY5WEntLvROarSOKn3GHy0DkDa6c W2cQY8aOMM8FHsIqhsM0gKsNe8Q2aHPM/UoNJaWBrhoXnT/lEzUN3FNIbq7yj4cb wXGQzZeFpcCaIb5SvMUl9yl8THZ2DpWsIFJOqYOmWMf1iiKLWu6bAh61sNYBWePQ S+pwk55AOGQUf73ElpGBCJOjrLgt/ADIluNkO1fI9bKQQjSIQRfEX5LWQPLwz8z8 Z+cyZc2ufW6F+F13n1yHSFEYFwbjAIdM06dATbsrlNh7PyNYeFE=w9R4 -----END PGP SIGNATURE-----
On Thu, Mar 14, 2019, at 2:51 PM, Nikolai Lusan via dovecot wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi, > > So this question means you need to do some more reading about all SSL/TLS > services. > > On Thu, 2019-03-14 at 10:46 +0000, mick crane via dovecot wrote: > > Excuse dopey question. > > I'm not exactly clear about certificates. > > Apache2 default install has this snake oil certificate > > Can make a new one for apache > > Can make one for dovecot > > Can make one for ssl > > Is there supposed to be the one (self signed ) certificate pair in one > > place for the machine that each process hands out ? > > Can they be moved to another machine ? > > In general you can have one certificate per hostname ('host.domain.com'), > or you can have a wildcard certificate that is valid for > '*.example.domain'.Or you can use one cert with additional hostnames (domains) in that single cert's subjectAltName's.> The alternative to paid signed certificates is using letsencrypt > https://letsencrypt.org - they can do both individual certificates and > wildcard certificates.With letsencrypt these (single cert with subjectAltName's) are easier to validate than wildcards IIRC (http based vs. DNS based validation). -- K