[CentOS] Ignorant question on SSL certs

Tue Mar 3 20:00:38 UTC 2015
Jason Pyeron <jpyeron at pdinc.us>

> -----Original Message-----
> From: Timothy Murphy
> Sent: Tuesday, March 03, 2015 14:19
> 
> Greg Bailey wrote:
> 
> >> I'm really just asking if I cannot just use what I take to be
> >> the standard openssl certificate and key in /etc/pki/tls/
> >> Do I really have to create up a special cert for dovecot?

I think at this point, I will say: Works for me.

[root at node001 ~]# openssl x509 </etc/pki/dovecot/certs/dovecot.pem
-----BEGIN CERTIFICATE-----
MIIEwDCCA6igAwIBAgICATYwDQYJKoZIhvcNAQEFBQAwcjELMAkGA1UEBhMCVVMx
ETAPBgNVBAgTCE1hcnlsYW5kMREwDwYDVQQKEwhwZGluYy51czEbMBkGA1UEAxMS
UEQtSU5DLXB1YmxpYy1DQS0yMSAwHgYJKoZIhvcNAQkBFhFzZWN1cml0eUBwZGlu
Yy51czAeFw0xNDEwMDMyMTI5MDVaFw0xNTEwMTgyMTI5MDVaMIGzMQswCQYDVQQG
EwJVUzERMA8GA1UECBMITWFyeWxhbmQxDzANBgNVBAoTBlBEIEluYzEYMBYGA1UE
CxMPTWFpbCBQcm9jZXNzaW5nMR0wGwYDVQQDFBQqLmltYXAubWFpbC5wZGluYy51
czElMCMGA1UEAxMcbm9kZTAwMS5tYWlsY2x1c3Rlci5wZGluYy51czEgMB4GCSqG
SIb3DQEJARYRc2VjdXJpdHlAcGRpbmMudXMwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQD1ZPjUv7LAwZiYoUUH30SEJQn+WepEB9myXlanHUhhjH9iixDu
NlgFh2OgTzJDvf8JJ/AX9CTr2bZNfUvlWDRPbnCU4G439+8CKmJtHvM5kkcsLQZm
Irv12rZP5fMwApGAJhNPLtgsPbHVQxWhNYDq/J4gJc/DuctgqoimHVC+VCmQf+V6
uQdh+a40S/+vvPiGd3HNxgzXh2Ya1G8hmCQpCbYgs9QY7yhYrKNL+wAAfP7NhRQL
tf2JIPCK7063JrE4izc4eqVadRGdc1y+PP6eUQGRF1P66gXSt9QsxasZIhFZMXvI
HyKWDoRsPVyUAd3j42eldCxWbBJxJydOxOHDAgMBAAGjggEcMIIBGDAJBgNVHRME
AjAAMB0GA1UdDgQWBBRJ65N/YCR2VWMeAiTKMSqbBAXEPDCBsgYDVR0jBIGqMIGn
gBSVjTqkwyfzfERrJL7Gy2OdnrUZA6GBi6SBiDCBhTEVMBMGA1UEAxMMUEQgSW5j
LiAoQ0EpMQswCQYDVQQGEwJVUzERMA8GA1UECBMITWFyeWxhbmQxFzAVBgNVBAcT
DkJhbHRpbW9yZSBDaXR5MREwDwYDVQQKEwhwZGluYy51czEgMB4GCSqGSIb3DQEJ
ARYRc2VjdXJpdHlAcGRpbmMudXOCAQMwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov
L3BkLWluYy1wdWJsaWMtY2EtMi5jcmwucGRpbmMudXMwDQYJKoZIhvcNAQEFBQAD
ggEBAEWOphbenf8miuAEoWSG6WRJ01DY2Ib8oUo5Dgngt7GualXwZOYUWhQwKRaw
4rZJBGu8kEVnRMa1B0FIWSMy+eq84IE+6KiSK7D44taWF5xx9MOggC5DQK9rORSj
PPEjiJt03oKpGCJnWhMBR4w9eTQIDtojFvfDVv2RrNxRwYS10DlYUvhOlzZEcsfq
XEkDOqIILiESVmYJftrhEBweBN2an+/CGy0DLep+6ovUsUieMieLcKIXeEFxHfuc
f/kTlMX5edTGGYsW9fn7yyzDSuDpKKosj3MW9j2TK8mJGGrnhoJ58Izqw6yp0yrw
2lbOTUPZqMVzdubxI2DuSka1xK4=
-----END CERTIFICATE-----
[root at node001 ~]#

Note the common name against the prompt's hostname.

All of our enterprise users can connect on many different clients.

> 
> > There's not really a "standard" SSL certificate.  Perhaps you're
> > referring to a "default" certificate used by the webserver?
> 
> No. I should have said "standard locate".
> I think both Fedora and CentOS create the folders
> /etc/pki/tls/{certs,private},
> so I assume this means that certs and keys should be store there.
> 
> > What I typically do is get a real, but free, SSL 
> certificate from some
> > place like StartSSL (www.startssl.com), and then copy the key and
> > certificate to the location that's specified for use by dovecot.
> 
> My question exactly - is there any reason why one should not do that?
> Or even more simply, give the locations /etc/pki/tls/{certs,private}
> in /etc/dovecot/conf.d/10-ssl.conf ?

Where you get or create your cert from is irrelevant.

The error messages indicate a hostname mismatch among other issues, but I cannot help you if you don't provide the answers or data to help you.

-Jason

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.