On Mon, Nov 28, 2016 at 07:29:15PM +0100, Florian Piekert wrote:
> I use the same certificate for postfix, apache, dovecot, proftpd, etc...
> (from cacert.org).
The cacert.org root CA's MD5 self-signature tends to trigger
inteoperability problems. You're typically better off with some
other CA.
* Not cacert.org
* Not StartCom
* Not WoSign
As a data point on popularity, with those taken out, the top 10
issuers of certs for DANE MX hosts are:
1010 O=Let's Encrypt
188 O=COMODO CA Limited
103 O=GeoTrust Inc.
57 O=Gandi
46 O=GlobalSign nv-sa
23 O=thawte\, Inc.
12 O=GoDaddy.com\, Inc.
11 O=DigiCert Inc
7 O=Symantec Corporation
7 O=GeoTrust\, Inc.
Pick one that works for you. Grouping by the full name of the
intermediate issuer:
1006 CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
171 CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB
57 CN=Gandi Standard SSL CA 2,O=Gandi,L=Paris,ST=Paris,C=FR
37 CN=RapidSSL SHA256 CA - G3,O=GeoTrust Inc.,C=US
32 CN=AlphaSSL CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE
23 CN=RapidSSL SHA256 CA,O=GeoTrust Inc.,C=US
12 CN=RapidSSL SHA256 CA - G2,O=GeoTrust Inc.,C=US
11 CN=Go Daddy Secure Certificate Authority -
G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\,
Inc.,L=Scottsdale,ST=Arizona,C=US
11 CN=GlobalSign Domain Validation CA - SHA256 - G2,O=GlobalSign
nv-sa,C=BE
10 CN=COMODO RSA Organization Validation Secure Server CA,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB
--
Viktor.
