Dear All This is my continuation of postfix setup. Following link http://campworld.net/thewiki/pmwiki.php/LinuxServersCentOS/Cent6VirtMailServ... postfix setup.
At one stage it says, Configuring The Server Setup SSL Certificate
Now generate an SSL certificate for postfix and dovecot to have TLS support. Replace mail.example.com with your server hostname.
genkey --days 3650 mail.example.com
My doubt is ,
1. I have to install a SSL certificate for for web server (apache case). I am planning to purchase a SSL certificate and put it. The same certificate will be useful for both web server and mail server OR both web and mail server needs to separate separate SSL certificates.
2. I hope for web server case, one must purchase a ssl certificate and use it (so that browsers will work smoothly without complain). For mail server can one use locally generated ssl certificate?
Kindly let me know.
Best Regards
Austin
On 03/11/2013 07:05 PM, Austin Einter wrote:
Dear All This is my continuation of postfix setup. Following link http://campworld.net/thewiki/pmwiki.php/LinuxServersCentOS/Cent6VirtMailServ... postfix setup.
At one stage it says, Configuring The Server Setup SSL Certificate
Now generate an SSL certificate for postfix and dovecot to have TLS support. Replace mail.example.com with your server hostname.
genkey --days 3650 mail.example.com
My doubt is ,
- I have to install a SSL certificate for for web server (apache case). I
am planning to purchase a SSL certificate and put it. The same certificate will be useful for both web server and mail server OR both web and mail server needs to separate separate SSL certificates.
- I hope for web server case, one must purchase a ssl certificate and use
it (so that browsers will work smoothly without complain). For mail server can one use locally generated ssl certificate?
Kindly let me know.
Best Regards
Austin
Hi,
I use mail.domain.com, so I needed another certificate. I got the second certificate the same way I got the first, save for the change in the domain name.
A self-signed certificate will trigger a warning for users. For this reason, I did not use self-signed and I suspect you don't want to use a self-signed, either.
For the WEB server it makes sens to have a certificate that is signed by a known CA. However, for postfix a self signed cert is just fine. When a user first connects with TLS, the mail client will complain. But with most mail clients (I use Thunderbird), you can get the certificate and store a permanent exception so it will never complain again. Other servers that make connections to deliver mail with STARTTLS generally don't care.
Mike
On 03/11/2013 07:05 PM, Austin Einter wrote:
Dear All This is my continuation of postfix setup. Following link http://campworld.net/thewiki/pmwiki.php/LinuxServersCentOS/Cent6VirtMailServ... postfix setup.
At one stage it says, Configuring The Server Setup SSL Certificate
Now generate an SSL certificate for postfix and dovecot to have TLS support. Replace mail.example.com with your server hostname.
genkey --days 3650 mail.example.com
My doubt is ,
- I have to install a SSL certificate for for web server (apache case). I
am planning to purchase a SSL certificate and put it. The same certificate will be useful for both web server and mail server OR both web and mail server needs to separate separate SSL certificates.
- I hope for web server case, one must purchase a ssl certificate and use
it (so that browsers will work smoothly without complain). For mail server can one use locally generated ssl certificate?
Kindly let me know.
Best Regards
Austin _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Thanks a lot Mike. -Austin
On Tue, Mar 12, 2013 at 6:30 AM, Mike McCarthy sysop@w1nr.net wrote:
For the WEB server it makes sens to have a certificate that is signed by a known CA. However, for postfix a self signed cert is just fine. When a user first connects with TLS, the mail client will complain. But with most mail clients (I use Thunderbird), you can get the certificate and store a permanent exception so it will never complain again. Other servers that make connections to deliver mail with STARTTLS generally don't care.
Mike
On 03/11/2013 07:05 PM, Austin Einter wrote:
Dear All This is my continuation of postfix setup. Following link
http://campworld.net/thewiki/pmwiki.php/LinuxServersCentOS/Cent6VirtMailServ...
postfix setup.
At one stage it says, Configuring The Server Setup SSL Certificate
Now generate an SSL certificate for postfix and dovecot to have TLS support. Replace mail.example.com with your server hostname.
genkey --days 3650 mail.example.com
My doubt is ,
- I have to install a SSL certificate for for web server (apache case).
I
am planning to purchase a SSL certificate and put it. The same
certificate
will be useful for both web server and mail server OR both web and mail server needs to separate separate SSL certificates.
- I hope for web server case, one must purchase a ssl certificate and
use
it (so that browsers will work smoothly without complain). For mail
server
can one use locally generated ssl certificate?
Kindly let me know.
Best Regards
Austin _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 03/11/2013 07:05 PM, Austin Einter wrote:
Dear All This is my continuation of postfix setup. Following link http://campworld.net/thewiki/pmwiki.php/LinuxServersCentOS/Cent6VirtMailServ... postfix setup.
At one stage it says, Configuring The Server Setup SSL Certificate
Now generate an SSL certificate for postfix and dovecot to have TLS support. Replace mail.example.com with your server hostname.
genkey --days 3650 mail.example.com
My doubt is ,
- I have to install a SSL certificate for for web server (apache case). I
am planning to purchase a SSL certificate and put it. The same certificate will be useful for both web server and mail server OR both web and mail server needs to separate separate SSL certificates.
- I hope for web server case, one must purchase a ssl certificate and use
it (so that browsers will work smoothly without complain). For mail server can one use locally generated ssl certificate?
In large measure it depends on the URL for both. I use a virtual host for webmail, different from the hostname. Also, typically, the email cert's URL is the host name, not the domain name. Though I have not studied DANE, and I may have that part wrong. With the same URL, you can use one cert. With different URLs, you typically need multiple certs, but there are ways using altName to have more than one URL in a cert. Talk to who you buy your cert from.
For me, and the size of my community, I have gone with a self-signed cert. I was in discussions on this on a number of lists. I have filed a bug report on the RedHat default SSL cert: 906476, they create the default cert during firstboot, with the wrong extensions for a client cert. Here is what I have used:
cd /etc/pki/tls
openssl req -new -outform PEM -out certs/host.atdomain.com.crt -newkey rsa:2048 -nodes -keyout private/host.atdomain.com.key -keyform PEM -days 3650 -x509 -extensions v3_req
Answer the prompts appropriately.
You can then check this cert out with:
openssl x509 -in certs/host.atdomain.com.crt -text -nameopt multiline -noout|more
Then don't forget to change access to the private key:
chmod 640 private/host.atdomain.com.key
To each their own on certs. Note I participated in PKIX in the IETF and am the architect of the Bridge CA model used by the US gov's pki and the BioPharma pki, so I carry a bias on certificates. Also a group in my day job is the largest provider of client certificates in the world (according to our marketing) and one of the largest providers of server certs; but I am NOT part of that group.
-
Austin Einter -
Digimer -
Mike McCarthy -
Robert Moskowitz