[GLLUG] Openssl and certificates

James Courtier-Dutton james.dutton at gmail.com
Tue Jul 28 11:10:23 UTC 2020


On Tue, 28 Jul 2020 at 09:48, Chris Bell via GLLUG
<gllug at mailman.lug.org.uk> wrote:
>
> Hello,
> Openssl makes it easier to create my own CA and issue certificates for local
> boxes with specified uses such as WWW and EMAIL, but I am not clear on the best
> approaches for multiple domains and boxes. I have dedicated individual boxes
> to use as web server, email gateway, and email server, and multiple boxes for
> each job to enable online backup and offline upgrades. Should individual
> certificates be created for individual boxes or should the same certificate be
> shared between all boxes allocated for each individual job?
> Thanks for any information.
> --
> Chris Bell
> Website http://chrisbell.org.uk
>

Certificates for use with TLS have a number of possible options:
1) Host specific.  So contain only one domain name. e.g.   www.website.com
2) Multiple hosts sharing the certificate.  Using something called
"subject alternative names", you can have one cert, multiple domains.
e.g. www.website.com,  www.second.com,  www.third.com  all in a single cert.
e.g. www.website.com, email-gw.website.com, email-srv.web  all in a single cert.
3) Wildcard
e.g. *.website.com

So, the decision to have multiple certificates, or one wildcard
certificate is really up to you.
Either options are workable.

If you use your own CA with openssl, it will work for you locally, but
external users will not have the correct trusted root certificate so
they will see warnings before connecting.

Kind Regards

James



More information about the GLLUG mailing list