[GLLUG] Openssl and certificates

Andy Smith andy at bitfolk.com
Tue Jul 28 16:08:46 UTC 2020 

Hello,

On Tue, Jul 28, 2020 at 09:47:51AM +0100, Chris Bell via GLLUG wrote:
> Openssl makes it easier to create my own CA and issue certificates for local 
> boxes with specified uses such as WWW and EMAIL, but I am not clear on the best 
> approaches for multiple domains and boxes. I have dedicated individual boxes 
> to use as web server, email gateway, and email server, and multiple boxes for 
> each job to enable online backup and offline upgrades. Should individual 
> certificates be created for individual boxes or should the same certificate be 
> shared between all boxes allocated for each individual job?

I don't think TLS concerns itself with what particular piece of
hardware is involved, it's about what is terminating the TLS
conversation for a given name.

If the conversation for foo.example.com could end up at any one of
several hosts then all hosts need the same TLS key material. If
you're terminating the conversation on a single load balancer with
20 hosts behind it but you're not talking TLS between the load
balancer and the hosts, then only the load balancer needs the key
material. If you have an active/passive pair of load balancers to
provide redundancy then both need the key material. And so on.

I create them with Let's Encrypt and have config management renew
them and push them out to where they need to be, so it doesn't
really matter how many there are.

If you had a web site on https://example.com/ I don't think you
would be wanting to call your mail server also example.com, so the
question of whether to share the key material doesn't arise. But
let's say for argument's sake that your mail server calls itself
mail.example.com and you also have webmail on
https://mail.example.com/. Should those two things share the same
key material?

With config management it is almost as easy to have them have unique
key material as it is to have them share. For long-lived keys there
is an argument to have them be separate so as to have fewer copies
that could be mislaid, but in the Let's Encrypt age the certs are
renewed every three months so that is less of a concern.

Also whether to use a single wildcard cert for everything under
example.com.

With frequent renewal I think you could argue either way.

I'd be more concerned about automation and only then think about
whether to use one or many or wildcard certs for the same name.

If the names are not valid outside your local network (e.g. you
expect users to connect to private DNS names like
https://admin.mycorp/) then you can't use Let's Encrypt and have to
do your own CA, which does make things a lot more of a faff. I tend
to argue for things being in the public DNS for this reason, as at
least then you can do ACME DNS-01.

Cheers,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting

More information about the GLLUG mailing list