[CentOS] SAN certificates for multiple domains and multiple services

Fri Apr 28 08:37:55 UTC 2017
Nicolas Kovacs <info at microlinux.fr>


I'm currently installing and configuring CentOS 7 on a public server.
The machine will host a few small-to-midsize projects that are currently
running on a handful of Slackware servers: public library databases, our
public school's agenda, a small webradio, OwnCloud for myself and a
local non-profit, etc.

Until recently I've mostly used self-signed SSL certificates for stuff
needing a secure connection. Then, some time ago, I discovered
LetsEncrypt and Certbot, which works very well, so I moved secure web
hosting to using a free LetsEncrypt certificate.

Now I want to take this to the next level and use these free
certificates for multiple services. Not only web hosting, but also
Postfix/Dovecot for mail and Prosody for XMPP.

I had to fiddle a bit for permissions, so everything can access the
certificate and key files right. I created a certs group and gave
everything under /etc/letsencrypt/live to root:certs. Then, when a
system user has to access this stuff, I simply add him to the certs group.

Then came a moment when I hit a wall, because Postfix can't handle
multiple certificates, only one. Let's say I have these domains on my

  * example1.com
  * example2.com
  * example1.net
  * example2.net

When setting up Postfix, I can do one of these things:

1. continue to use a self-signed SSL certificate

2. choose one "preferred" domain on my server

3. setup multi-domain (SAN) certificates

I tried the SAN certificates (after experimenting a lot and getting it
right), and this stuff seems to work. I have one big bundle of
certificates stored under /etc/letsencrypt/live/sd-41XXX.dedibox.fr
(sd-41XXX.dedibox.fr being my server's FQDN), and I have all the
certificates for all domains and subdomains of example1.com,
example2.com, example1.net and example2.net.

So before I go any further with this, I'm asking the more technically
proficient admins here. Are there any drawbacks to using this solution?
Is it problematic to bundle all my certificates into one big fat SAN
certificate? This being said, the machine will host a maximum of two
dozen domains, each with a handful of subdomains like mail.example1.com,
xmpp.example1.com, etc.)


Niki Kovacs
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Web  : http://www.microlinux.fr
Mail : info at microlinux.fr
Tél. : 04 66 63 10 32