rgm at htt-consult.com
Fri Aug 31 21:30:53 UTC 2018
On 08/31/2018 01:47 PM, Chuck Campbell wrote:
> I am getting myself confused, and need someone who fully understands
> this process to help me out a bot.
> I would like to obtain an ssl certificate, so I can run my own imap
> server on a machine in my office.
> My domain is hosted by networksolutions, but I don't run my imap
> server there.
> I am assuming I'll need to pay a CA to generate what I need, but I'm
> confused about what I need. I am running dovecot at teh moment, but my
> clients (iphone, windows laptops) say my ssl connection is not
> trusted. The phone just won't connect.
> I tried emailing the dovecot.pem file to my phone and installing it,
> but it just says it is not trusted.
> This leads me to obtaining a real CA issued certificate. I'm not sure
> what to do with it, once I get one, and then if I need to subsequently
> regenerate my dovecot.pem file??
Many large companies run their own CA and install their own root
certificate. Often installing a root cert is easier than installing a
self-signed independent cert. There is much written about building your
own CA and a number of tools for that like openCA. I can't speak for
all your devices or apps, but there should be ways....
In personal promotion, I have been doing my own CA work for ECDSA certs
and now for EDDSA certs (and I wonder what commercial CAs are providing
them). See my Internet draft:
And my github for pending updates to this and the new eddsa-pki draft
(to be published after openSSL 1.1.1 is released).
Or go to openCA or look at other CA toolkits available on Centos and Fedora.
Letsencrypt is a very important development, but it has (IMHO) a shaking
foundation. I would not build a production system around it. But then
I have lived in aspects of PKI since '95...
More information about the CentOS