-1

I did a lot of research on this but still I am confused about how many certificates I need to self-sign for each of my services running on my private server. Here is the deal:

I am creating my own server on raspberry Pi (raspbian~debian) to run my own VPN server, a calendar/contact server (Darwin) and probably in the future an e-mail server and a web server.

First I have configured the openvpn server with easy RSA (client authenticates with key and password: following this tutorial). Of note, easy RSA seems to be related to openVPN.

Now, I need to set up the calendar server and force TLS connections for security. But I am not sure, if I need to self-sign another certificate or simply reuse old ones. This time client will only authenticate with a password. Do I a different self signed certificate for each service?

There is also the ssl-cert-snakeoil.key, which I could be using or not?

Saren Tasciyan
  • 103
  • 2

2 Answers2

0

If you are using the same URL for both services then use the same certificate. Self assigned certificates are useless though. Why don't you use a real certificate https://letsencrypt.org/ its free.

Nelson Amaya
  • 42
  • 2
  • Thanks! They will all use the same domain name (provided by a dynamic DNS provider). I thought for personal usage self-signed is secure enough. Is it wrong? Basically, I wanted to understand a self-signed certificate first, then move on to a 3rd party verification. – Saren Tasciyan Jan 24 '16 at 13:30
0

A SSL certificate, is basically telling the remote, that the IP or DNS name they've connected to, have a public-private key setup, and that the public-key is "signed" by some certificate authority (CA) as belonging to that service on that DNS name or IP address. A Certificate could (lately) include subjectAlternateNAmes (SANs) stating that the certificate is also valid for several other DNS names or IP numbers.

Now back to your question: If all the services are on the same name (ie. "myhost.dyn-provider.net") then a single certificate for myhost.dyn-provider.net is all you need.

However, if you need it for mywww.dyn-provider.net (HTTPS), mycal.dyn-provider.net (iCal), mysmtp.dyn-provider.net (Email) and myftps.dyn-provider.net (FTPS) etc., then you will either need a certificate for each of those servers, or you could generate a single certificate with the extra SAN/subjectAlternateName entries (google for that, easyrsa 3.0.x also have help on that: easyrsa help altname for more info)

Hvisage
  • 356
  • 2
  • 6