On Thu, Mar 14, 2019, at 2:51 PM, Nikolai Lusan via dovecot wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi,
>
> So this question means you need to do some more reading about all SSL/TLS
> services.
>
> On Thu, 2019-03-14 at 10:46 +0000, mick crane via dovecot wrote:
> > Excuse dopey question.
> > I'm not exactly clear about certificates.
> > Apache2 default install has this snake oil certificate
> > Can make a new one for apache
> > Can make one for dovecot
> > Can make one for ssl
> > Is there supposed to be the one (self signed ) certificate pair in one
> > place for the machine that each process hands out ?
> > Can they be moved to another machine ?
>
> In general you can have one certificate per hostname ('host.domain.com'),
> or you can have a wildcard certificate that is valid for
> '*.example.domain'.
Or you can use one cert with additional hostnames (domains) in that single
cert's subjectAltName's.
> The alternative to paid signed certificates is using letsencrypt
> https://letsencrypt.org - they can do both individual certificates and
> wildcard certificates.
With letsencrypt these (single cert with subjectAltName's) are easier to
validate than wildcards IIRC (http based vs. DNS based validation).
-- K
