[CentOS] SAN certificates for multiple domains and multiple services

Fri Apr 28 09:22:11 UTC 2017
Alice Wonder <alice at domblogger.net>

I'm not sure I understand fully what you are doing but for postfix, use 
self-signed certs.

I have a script for generating a self-signed X.509v3 with SAN

https://github.com/AliceWonderMiscreations/SimpleCA/blob/master/keyGenMX_Dane.sh

(that project is not even close to being ready yet, ignore the various 
.md files there, but that particular script is ready and I use it in 
production)

The way that script is used -

sh keyGenMX_Dane.sh example1.com example2.com example1.net example2.net

It will create a self-signed X.509v3 certificate with SAN for whatever 
domains are listed as arguments.

It creates a 3-year certificate, you can edit it to do longer if you want.

It creates 3072-bit RSA but you can edit the script to do 2048 or 4096 
if you prefer.

Whatever you use, it is recommended your postfix be configured to use DH 
parameters of equal or greater bits.

It also calculates the DANE TLSA fingerprints if you want to use those 
with DNSSEC but you don't have to.

-=-

Spending money on a commercial CA signed certificate for postfix is a 
waste of money because other servers don't check the certificate before 
sending, because the alternative to encryption is plain text anyway.

On 04/28/2017 01:37 AM, Nicolas Kovacs wrote:
> Hi,
>
> I'm currently installing and configuring CentOS 7 on a public server.
> The machine will host a few small-to-midsize projects that are currently
> running on a handful of Slackware servers: public library databases, our
> public school's agenda, a small webradio, OwnCloud for myself and a
> local non-profit, etc.
>
> Until recently I've mostly used self-signed SSL certificates for stuff
> needing a secure connection. Then, some time ago, I discovered
> LetsEncrypt and Certbot, which works very well, so I moved secure web
> hosting to using a free LetsEncrypt certificate.
>
> Now I want to take this to the next level and use these free
> certificates for multiple services. Not only web hosting, but also
> Postfix/Dovecot for mail and Prosody for XMPP.
>
> I had to fiddle a bit for permissions, so everything can access the
> certificate and key files right. I created a certs group and gave
> everything under /etc/letsencrypt/live to root:certs. Then, when a
> system user has to access this stuff, I simply add him to the certs group.
>
> Then came a moment when I hit a wall, because Postfix can't handle
> multiple certificates, only one. Let's say I have these domains on my
> server:
>
>   * example1.com
>   * example2.com
>   * example1.net
>   * example2.net
>
> When setting up Postfix, I can do one of these things:
>
> 1. continue to use a self-signed SSL certificate
>
> 2. choose one "preferred" domain on my server
>
> 3. setup multi-domain (SAN) certificates
>
> I tried the SAN certificates (after experimenting a lot and getting it
> right), and this stuff seems to work. I have one big bundle of
> certificates stored under /etc/letsencrypt/live/sd-41XXX.dedibox.fr
> (sd-41XXX.dedibox.fr being my server's FQDN), and I have all the
> certificates for all domains and subdomains of example1.com,
> example2.com, example1.net and example2.net.
>
> So before I go any further with this, I'm asking the more technically
> proficient admins here. Are there any drawbacks to using this solution?
> Is it problematic to bundle all my certificates into one big fat SAN
> certificate? This being said, the machine will host a maximum of two
> dozen domains, each with a handful of subdomains like mail.example1.com,
> xmpp.example1.com, etc.)
>
> Cheers,
>
> Niki Kovacs
>