Re: [GLLUG] Openssl and certificates
Hello, On Tue, Jul 28, 2020 at 09:47:51AM +0100, Chris Bell via GLLUG wrote: > Openssl makes it easier to create my own CA and issue certificates for local > boxes with specified uses such as WWW and EMAIL, but I am not clear on the > best > approaches for multiple domains and boxes. I have dedicated individual boxes > to use as web server, email gateway, and email server, and multiple boxes for > each job to enable online backup and offline upgrades. Should individual > certificates be created for individual boxes or should the same certificate > be > shared between all boxes allocated for each individual job? I don't think TLS concerns itself with what particular piece of hardware is involved, it's about what is terminating the TLS conversation for a given name. If the conversation for foo.example.com could end up at any one of several hosts then all hosts need the same TLS key material. If you're terminating the conversation on a single load balancer with 20 hosts behind it but you're not talking TLS between the load balancer and the hosts, then only the load balancer needs the key material. If you have an active/passive pair of load balancers to provide redundancy then both need the key material. And so on. I create them with Let's Encrypt and have config management renew them and push them out to where they need to be, so it doesn't really matter how many there are. If you had a web site on https://example.com/ I don't think you would be wanting to call your mail server also example.com, so the question of whether to share the key material doesn't arise. But let's say for argument's sake that your mail server calls itself mail.example.com and you also have webmail on https://mail.example.com/. Should those two things share the same key material? With config management it is almost as easy to have them have unique key material as it is to have them share. For long-lived keys there is an argument to have them be separate so as to have fewer copies that could be mislaid, but in the Let's Encrypt age the certs are renewed every three months so that is less of a concern. Also whether to use a single wildcard cert for everything under example.com. With frequent renewal I think you could argue either way. I'd be more concerned about automation and only then think about whether to use one or many or wildcard certs for the same name. If the names are not valid outside your local network (e.g. you expect users to connect to private DNS names like https://admin.mycorp/) then you can't use Let's Encrypt and have to do your own CA, which does make things a lot more of a faff. I tend to argue for things being in the public DNS for this reason, as at least then you can do ACME DNS-01. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug
Re: [GLLUG] Openssl and certificates
On Tue, 28 Jul 2020 at 09:48, Chris Bell via GLLUG wrote: > > Hello, > Openssl makes it easier to create my own CA and issue certificates for local > boxes with specified uses such as WWW and EMAIL, but I am not clear on the > best > approaches for multiple domains and boxes. I have dedicated individual boxes > to use as web server, email gateway, and email server, and multiple boxes for > each job to enable online backup and offline upgrades. Should individual > certificates be created for individual boxes or should the same certificate be > shared between all boxes allocated for each individual job? > Thanks for any information. > -- > Chris Bell > Website http://chrisbell.org.uk > Certificates for use with TLS have a number of possible options: 1) Host specific. So contain only one domain name. e.g. www.website.com 2) Multiple hosts sharing the certificate. Using something called "subject alternative names", you can have one cert, multiple domains. e.g. www.website.com, www.second.com, www.third.com all in a single cert. e.g. www.website.com, email-gw.website.com, email-srv.web all in a single cert. 3) Wildcard e.g. *.website.com So, the decision to have multiple certificates, or one wildcard certificate is really up to you. Either options are workable. If you use your own CA with openssl, it will work for you locally, but external users will not have the correct trusted root certificate so they will see warnings before connecting. Kind Regards James -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug
[GLLUG] Openssl and certificates
Hello, Openssl makes it easier to create my own CA and issue certificates for local boxes with specified uses such as WWW and EMAIL, but I am not clear on the best approaches for multiple domains and boxes. I have dedicated individual boxes to use as web server, email gateway, and email server, and multiple boxes for each job to enable online backup and offline upgrades. Should individual certificates be created for individual boxes or should the same certificate be shared between all boxes allocated for each individual job? Thanks for any information. -- Chris Bell Website http://chrisbell.org.uk -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug