On 03/11/2013 07:05 PM, Austin Einter wrote: > Dear All > This is my continuation of postfix setup. > Following link > http://campworld.net/thewiki/pmwiki.php/LinuxServersCentOS/Cent6VirtMailServerfor > postfix setup. > > At one stage it says, > Configuring The Server Setup SSL Certificate > > Now generate an SSL certificate for postfix and dovecot to have TLS > support. Replace mail.example.com with your server hostname. >> genkey --days 3650 mail.example.com > > My doubt is , > > 1. I have to install a SSL certificate for for web server (apache case). I > am planning to purchase a SSL certificate and put it. The same certificate > will be useful for both web server and mail server OR both web and mail > server needs to separate separate SSL certificates. > > > 2. I hope for web server case, one must purchase a ssl certificate and use > it (so that browsers will work smoothly without complain). For mail server > can one use locally generated ssl certificate? In large measure it depends on the URL for both. I use a virtual host for webmail, different from the hostname. Also, typically, the email cert's URL is the host name, not the domain name. Though I have not studied DANE, and I may have that part wrong. With the same URL, you can use one cert. With different URLs, you typically need multiple certs, but there are ways using altName to have more than one URL in a cert. Talk to who you buy your cert from. For me, and the size of my community, I have gone with a self-signed cert. I was in discussions on this on a number of lists. I have filed a bug report on the RedHat default SSL cert: 906476, they create the default cert during firstboot, with the wrong extensions for a client cert. Here is what I have used: cd /etc/pki/tls openssl req -new -outform PEM -out certs/host.atdomain.com.crt -newkey rsa:2048 -nodes -keyout private/host.atdomain.com.key -keyform PEM -days 3650 -x509 -extensions v3_req Answer the prompts appropriately. You can then check this cert out with: openssl x509 -in certs/host.atdomain.com.crt -text -nameopt multiline -noout|more Then don't forget to change access to the private key: chmod 640 private/host.atdomain.com.key To each their own on certs. Note I participated in PKIX in the IETF and am the architect of the Bridge CA model used by the US gov's pki and the BioPharma pki, so I carry a bias on certificates. Also a group in my day job is the largest provider of client certificates in the world (according to our marketing) and one of the largest providers of server certs; but I am NOT part of that group.