[CentOS] SSL Certificate

Tue Mar 12 04:10:02 UTC 2013
Robert Moskowitz <rgm at htt-consult.com>

On 03/11/2013 07:05 PM, Austin Einter wrote:
> Dear All
> This is my continuation of postfix setup.
> Following link
> http://campworld.net/thewiki/pmwiki.php/LinuxServersCentOS/Cent6VirtMailServerfor
> postfix setup.
> At one stage it says,
> Configuring The Server Setup SSL Certificate
> Now generate an SSL certificate for postfix and dovecot to have TLS
> support. Replace mail.example.com with your server hostname.
>> genkey --days 3650 mail.example.com
> My doubt is ,
> 1. I have to install a SSL certificate for for web server (apache case). I
> am planning to purchase a SSL certificate and put it. The same certificate
> will be useful for both web server and mail server OR both web and mail
> server needs to separate separate SSL certificates.
> 2. I hope for web server case, one must purchase a ssl certificate and use
> it (so that browsers will work smoothly without complain). For mail server
> can one use locally generated ssl certificate?

In large measure it depends on the URL for both.  I use a virtual host 
for webmail, different from the hostname.  Also, typically, the email 
cert's URL is the host name, not the domain name.  Though I have not 
studied DANE, and I may have that part wrong.  With the same URL, you 
can use one cert.  With different URLs, you typically need multiple 
certs, but there are ways using altName to have more than one URL in a 
cert.  Talk to who you buy your cert from.

For me, and the size of my community, I have gone with a self-signed 
cert.  I was in discussions on this on a number of lists.  I have filed 
a bug report on the RedHat default SSL cert: 906476, they create the 
default cert during firstboot, with the wrong extensions for a client 
cert.  Here is what I have used:

cd /etc/pki/tls

openssl req -new -outform PEM -out certs/host.atdomain.com.crt -newkey 
rsa:2048 -nodes -keyout private/host.atdomain.com.key -keyform PEM -days 
3650 -x509 -extensions v3_req

Answer the prompts appropriately.

You can then check this cert out with:

openssl x509 -in certs/host.atdomain.com.crt -text -nameopt multiline 

Then don't forget to change access to the private key:

chmod 640 private/host.atdomain.com.key

To each their own on certs.  Note I participated in PKIX in the IETF and 
am the architect of the Bridge CA model used by the US gov's pki and the 
BioPharma pki, so I carry a bias on certificates.  Also a group in my 
day job is the largest provider of client certificates in the world 
(according to our marketing) and one of the largest providers of server 
certs; but I am NOT part of that group.