[CentOS] Certificates

Fri Aug 31 21:30:53 UTC 2018
Robert Moskowitz <rgm at htt-consult.com>

On 08/31/2018 01:47 PM, Chuck Campbell wrote:
> I am getting myself confused, and need someone who fully understands 
> this process to help me out a bot.
> I would like to obtain an ssl certificate, so I can run my own imap 
> server on a machine in my office.
> My domain is hosted by networksolutions, but I don't run my imap 
> server there.
> I am assuming I'll need to pay a CA to generate what I need, but I'm 
> confused about what I need. I am running dovecot at teh moment, but my 
> clients (iphone, windows laptops) say my ssl connection is not 
> trusted. The phone just won't connect.
> I tried emailing the dovecot.pem file to my phone and installing it, 
> but it just says it is not trusted.
> This leads me to obtaining a real CA issued certificate. I'm not sure 
> what to do with it, once I get one, and then if I need to subsequently 
> regenerate my dovecot.pem file??

Many large companies run their own CA and install their own root 
certificate.  Often installing a root cert is easier than installing a 
self-signed independent cert.  There is much written about building your 
own CA and a number of tools for that like openCA.  I can't speak for 
all your devices or apps, but there should be ways....

In personal promotion, I have been doing my own CA work for ECDSA certs 
and now for EDDSA certs (and I wonder what commercial CAs are providing 
them).  See my Internet draft:


And my github for pending updates to this and the new eddsa-pki draft 
(to be published after openSSL 1.1.1 is released).


Or go to openCA or look at other CA toolkits available on Centos and Fedora.

Letsencrypt is a very important development, but it has (IMHO) a shaking 
foundation.  I would not build a production system around it.  But then 
I have lived in aspects of PKI since '95...