SSL Certificate

Home » CentOS » SSL Certificate
CentOS 4 Comments

Dear All This is my continuation of postfix setup. Following link postfix setup.

At one stage it says, Configuring The Server Setup SSL Certificate

Now generate an SSL certificate for postfix and dovecot to have TLS
support. Replace with your server hostname.

My doubt is ,

1. I have to install a SSL certificate for for web server (apache case). I
am planning to purchase a SSL certificate and put it. The same certificate will be useful for both web server and mail server OR both web and mail server needs to separate separate SSL certificates.

2. I hope for web server case, one must purchase a ssl certificate and use it (so that browsers will work smoothly without complain). For mail server can one use locally generated ssl certificate?

Kindly let me know.

Best Regards


4 thoughts on - SSL Certificate

  • Hi,

    I use, so I needed another certificate. I got the second certificate the same way I got the first, save for the change in the domain name.

    A self-signed certificate will trigger a warning for users. For this reason, I did not use self-signed and I suspect you don’t want to use a self-signed, either.

  • For the WEB server it makes sens to have a certificate that is signed by a known CA. However, for postfix a self signed cert is just fine. When a user first connects with TLS, the mail client will complain. But with most mail clients (I use Thunderbird), you can get the certificate and store a permanent exception so it will never complain again. Other servers that make connections to deliver mail with STARTTLS generally don’t care.


  • In large measure it depends on the URL for both. I use a virtual host for webmail, different from the hostname. Also, typically, the email cert’s URL is the host name, not the domain name. Though I have not studied DANE, and I may have that part wrong. With the same URL, you can use one cert. With different URLs, you typically need multiple certs, but there are ways using altName to have more than one URL in a cert. Talk to who you buy your cert from.

    For me, and the size of my community, I have gone with a self-signed cert. I was in discussions on this on a number of lists. I have filed a bug report on the RedHat default SSL cert: 906476, they create the default cert during firstboot, with the wrong extensions for a client cert. Here is what I have used:

    cd /etc/pki/tls

    openssl req -new -outform PEM -out certs/ -newkey rsa:2048 -nodes -keyout private/ -keyform PEM -days
    3650 -x509 -extensions v3_req

    Answer the prompts appropriately.

    You can then check this cert out with:

    openssl x509 -in certs/ -text -nameopt multiline

    Then don’t forget to change access to the private key:

    chmod 640 private/

    To each their own on certs. Note I participated in PKIX in the IETF and am the architect of the Bridge CA model used by the US gov’s pki and the BioPharma pki, so I carry a bias on certificates. Also a group in my day job is the largest provider of client certificates in the world
    (according to our marketing) and one of the largest providers of server certs; but I am NOT part of that group.