On 08/31/2018 01:47 PM, Chuck Campbell wrote:
I am getting myself confused, and need someone who fully understands this process to help me out a bot.
I would like to obtain an ssl certificate, so I can run my own imap server on a machine in my office.
My domain is hosted by networksolutions, but I don't run my imap server there.
I am assuming I'll need to pay a CA to generate what I need, but I'm confused about what I need. I am running dovecot at teh moment, but my clients (iphone, windows laptops) say my ssl connection is not trusted. The phone just won't connect.
I tried emailing the dovecot.pem file to my phone and installing it, but it just says it is not trusted.
This leads me to obtaining a real CA issued certificate. I'm not sure what to do with it, once I get one, and then if I need to subsequently regenerate my dovecot.pem file??
Many large companies run their own CA and install their own root certificate. Often installing a root cert is easier than installing a self-signed independent cert. There is much written about building your own CA and a number of tools for that like openCA. I can't speak for all your devices or apps, but there should be ways....
In personal promotion, I have been doing my own CA work for ECDSA certs and now for EDDSA certs (and I wonder what commercial CAs are providing them). See my Internet draft:
draft-moskowitz-ecdsa-pki
And my github for pending updates to this and the new eddsa-pki draft (to be published after openSSL 1.1.1 is released).
https://github.com/rgmhtt/draft-moskowitz-ecdsa-pki https://github.com/rgmhtt/draft-moskowitz-eddsa-pki
Or go to openCA or look at other CA toolkits available on Centos and Fedora.
Letsencrypt is a very important development, but it has (IMHO) a shaking foundation. I would not build a production system around it. But then I have lived in aspects of PKI since '95...