Nginx – use the same SSL certificate for smtp, imap, pop3 and http

couriereximnginxsslssl-certificate

So far I'm using self-signed certificates, but decided to at least consider getting the "real" one.

So far I noticed that internal formats of the certificated are a bit different, that is:

http (nginx) certificate has only CERTIFICATE part (with base64 encoded content) and KEY with also only base64 content
smtp (exim) crt file contains certificate textual information (issuer, subject, algorithm, dates, and so on), plus CERTIFICATE block with base64 data, while the .key file for exim contains only base64 encoded key
imap/pop3 (courier) .pem file contains key (base64), certificate info (textual), and certificate itself (base64).

Can I get any "web" certificate from thawte or some company like this, and from this (and key file) generate all formats that I need for nginx, exim4 and courier, or do I need to get separate certificates, or is it something else entirely?

Best Answer

The short answer is that yes a single certificate can be used for all those services.

The key and certificate can be stored in many formates, and using the openssl tool you can convert your key and certificate to other formats.

The real barrier is can you get a certificate that is valid for all the names that you wish to use. For your web you might want to use www.example.com, and for your mail you might want to use mail.example.com. You can get a wildcard or SAN certificate that will cover lots of names, but these cost more. It may be cheaper to get a couple individual certificates. The prices for different certs are different, so take some time and work out which will be cheaper in your case.

Related Solutions

AWS – How to Install Intermediate Certificates

concatenate the files provided manually, in the following order:

site.com.crt
intermediate.crt (one or more, the order of these doesn't matter)
ROOT.crt

you can do this from a shell with the cat command

cat site.com intermediate.crt ROOT.crt > site.chain.pem

or copy/paste them, no whitespace between, make sure certificates are on different lines

-----BEGIN CERTIFICATE-----
site cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
intermediate cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
root cert
-----END CERTIFICATE-----

Linux – Courier imap-ssl and multiple domains

You can find out which SSL/TLS library Courier is using by typing ldd /usr/bin/couriertls (this could be a different path on another distribution).

You'll see that on Ubuntu 12.04, it's compiled against OpenSSL (as the package dependencies also indicate: see courier-ssl and courier-imap-ssl). If you want it to be compiled against GnuTLS, you'll have to download the package source (apt-get source courier-ssl) and adapt its configuration to use GnuTLS instead (you'll likely to have to install the GnuTLS and gnutls-dev packages too). You may need to read the Debian/Ubuntu packaging documentation to find which options to change. The configuration files would be under courier-0.66.../debian.

OpenSSL also supports Server Name Indication now (which is what you want to use for this), but this might not be supported in Courier yet (I'm not sure). This message seems to indicate it might happen in future versions.

Best Answer

Related Solutions

AWS – How to Install Intermediate Certificates

Linux – Courier imap-ssl and multiple domains

Related Topic