On 14 Apr 2016, Viktor Dukhovni ietf-dane@dukhovni.org wrote:
I know, that's an old mail :-) But I have saved it for the time I will be ready to deploy LE certificates. That time has come.
One approach to making sure that DANE TLSA records are less likely to fail that should work well for sites using CA-issued certificates is to publish both "3 1 1" and "2 1 1" TLSA records:
mx.example. IN TLSA 3 1 1 <digest of server public key> mx.example. IN TLSA 2 1 1 <digest of immediate issuer public key>
[…]
In particular, this is the best practice with Let's Encrypt issued SMTP server certificates, as explained in:
https://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certific...
First of all I do have to admit that I am lacking knowledge when it comes to certificates, in general. Sofar, I got along with selfsigned certificates that I did generate with the help of all those numerous howtos one can find. It worked.
If I do remember correctly, and if I do understand your conclusions in other mails correctly, long lasting selfsigned certificates plus periodically rotated TLSAs are still a good basis to run a secured mailserver at port 25. (FYI: I am using opendnssec for rotating every 3 month.)
After having read this best practice document, I am still hesitant to deploy a LE certificate to my mailserver's domain, because I do not understand all the implications, yet.
Thus I would like to raise some newbie questions regarding the following project:
domain: example.org mailserver: mx.example.org with TLSA 3 1 1 IMAP server: mail.example.org webserver: www.example.org
#) Would it be possible to get *two* distinct LE certificates, one for the IMAP and one for the webserver .. #) .. and simultaneously *keep* my selfsigned certificate for the the mailserver .. #) .. and forget about the issues mentioned above?
#) Or should I strictly separate my mailserver from the rest by means of distinct domains, instead?
Excuses in advance if this are silly questions, but as I mentioned above, I am lacking skills w.r.t. certificates.
Thanks un advance and regards, Michael