On 21/01/2018 8:47 pm, Viktor Dukhovni wrote: >> I see wildcard SSL certificates are coming down in price, I use >> SSL on one or two websites and am starting to consider one of these >> to cover everything I do. Am I right in assuming a standard wildcard >> SSL certificate will be usable on both web and email servers? > You *really* should AVOID wildcard certificates, they are a magnet > for both security and operational issues. Get a distinct self-signed > or free CA certificate for each server. Space out certificate rotation > in time for the different servers that provide redundancy for each service > so as to avoid a single point of failure when certificate rotation is > accidentally mishandled. > > Finally, for SMTP, your best security gambit is DANE, and here self-signed > certificates are just as good or better than CA issued certificates. > You're far less likely to mess up certificate rotation when doing it > yourself than when integrating certbot and forgetting to care to > pre-stage DNS TLSA record updates (3 1 1) before obtaining a new cert > for the underlying public key. > Thanks for the response Viktor,
I won't ask you to expand on why wildcard certificates should be avoided (unless you want to). I use DANE, so based on what you're saying, wildcard certificates may not be cost effective for me anyway (since you advise against using them and say self-signed is fine for email)
