[CentOS] Ignorant question on SSL certs

Tue Mar 3 15:23:03 UTC 2015
Greg Bailey <gbailey at lxpro.com>

On 03/03/2015 08:12 AM, Timothy Murphy wrote:
> Jason Pyeron wrote:
>
>>> I'm getting endless complaints about my dovecot cert,
>> Exact message please?
> The certificate does not apply to the given host
> The certificate is not signed by any trusted certificate authority
>
>>> Do I really have to use a separate cert and key for dovecot?
>>> Can I not use the "standard" cert in /etc/pki/tls/certs (and key)
>>> from CACert.org ?
>> Post the certificate only, not the private key.
> I've looked at the cert and key and they look ok for what they are,
> a self-signed certificate and key, as created (years ago)
> following the instructions in the dovecot installation instructions.
>
> I'm really just asking if I cannot just use what I take to be
> the standard openssl certificate and key in /etc/pki/tls/
> Do I really have to create up a special cert for dovecot?
>

There's not really a "standard" SSL certificate.  Perhaps you're 
referring to a "default" certificate used by the webserver?

What I typically do is get a real, but free, SSL certificate from some 
place like StartSSL (www.startssl.com), and then copy the key and 
certificate to the location that's specified for use by dovecot.  That 
way, both httpd and dovecot are using the same certificate (although 
it's stored in 2 different locations).

The other thing to consider with dovecot (if you go with a third-party 
certificate) is that you may need to append the intermediate certificate 
to your server-specific certificate to properly establish the chain of 
trust for clients attempting to verify it.

-Greg