Certificate madness management

[jomo]

I plan to install it on my jail: Apache/SSL + dovecot + exim.

• for the dovecot, default location for certificates is /etc/ssl/{private,certs}/dovecot.*
• for the exim /etc/ssl/exim.{crt,pem}
• for the apache default is recommended to have them somewhere in /usr/local/etc/apache22 ...

I was already read a lot of posts here and on the Internet (too) especially:

• http://daemon-notes.com is very helpful in overall
• and here: http://forums.freebsd.org/showthread.php?t=6490&highlight=certificate is an brilliant post,

so "so-as" understand the basic principles, but I still have open questions:

• Why the default location of the certificates does not follow the same logic (eg /etc/ss/{certs,private}/program.*)
• It is safe centralize them to one place?

• Why it is necessary to create two different certificate for dovecot and exim? Can both programs use the same certificate?

• What I should to do NOW, if someday I want to have purchased a certificate for apache? Should i now
  • - generate a certificate request and
  • - sign in myself (so two step solution)
• and in the future when I will ask for the signed certificate can i use the above request? Or will need create another request?

• Maybe in the future there will be also certificates for ldap and jabberd. Can/should use the same as for exin - dovecot, or need create another ones?
  
• Exists somewhere some coherent overall manual (or system) to manage all those certificates?

Most of the guides I've read are either:

• for only one program (eg dovecot or ldap)
• or for openssl in general
• but no one what give overall view for answers to questions like the above ...

Can someone clear a bit the above questions - really short answers with simple english are pretty enough, because
my English is only slightly better than google translate. (Sorry, for typos too).

 

[Morte]

Organizing certs in one place, vs putting them with their respective software configuration is simply a matter of taste. FreeBSD standardizes in where config files are located (although this can usually be changed at run time), but you can put other stuff wherever you want. I don't think there's any security problem with centralizing certificates, aside from each daemon requiring permission to access that point. If daemon 1 is exploited, it's possible this could result in certificate for daemon 2 being compromised - depending on how loose or tight permissions are.

I'm not familiar with exim, and have limited dovecot experience, but all software I've used with ssl support can use the came certificate format... except Apache. Provided you're using the same host name for each service, you should be able to share the same cert.

When you self sign certs, it's considered "untrusted" because it's not from a certificate authority. You can generate and sign them as much as you want; they're equally untrusted. When you get a formal certificate, it's better to generate the request at that time, as it's hard to predict what they may require in the future.

 

[gkontos]

• Why the default location of the certificates does not follow the same logic (eg /etc/ss/{certs,private}/program.*)
• It is safe centralize them to one place?

I install all my certificates under /etc/ssl/program
For apache I use the following scheme: /ets/ssl/apache/domain/ just to avoid mistakes in the future.

Centralizing is safe. You only need to make sure that the owner is root and that the permissions are set to 600

[*]Why it is necessary to create two different certificate for dovecot and exim? Can both programs use the same certificate?

I am not sure about exim but postifx and dovecot can share the same certificate as long as they bind under the same hostname.

• What I should to do NOW, if someday I want to have purchased a certificate for apache? Should i now
  • - generate a certificate request and
  • - sign in myself (so two step solution)
• and in the future when I will ask for the signed certificate can i use the above request? Or will need create another request?

Either way will work.

[*]Maybe in the future there will be also certificates for ldap and jabberd. Can/should use the same as for exin - dovecot, or need create another ones?

As long as you keep the same host and domain name you should be ok for SSL.

 

[jomo]

Wonderful answers. Thank you very much, saved me from a lot of experimentation.