Best practice TLSA RRs for CA-issued certs
trashcan at ellael.org
Thu Dec 29 20:31:24 CET 2016
On 14 Apr 2016, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
I know, that's an old mail :-) But I have saved it for the time I will be ready to deploy LE certificates. That time has come.
> One approach to making sure that DANE TLSA records are less likely
> to fail that should work well for sites using CA-issued certificates
> is to publish both "3 1 1" and "2 1 1" TLSA records:
> mx.example. IN TLSA 3 1 1 <digest of server public key>
> mx.example. IN TLSA 2 1 1 <digest of immediate issuer public key>
> In particular, this is the best practice with Let's Encrypt
> issued SMTP server certificates, as explained in:
First of all I do have to admit that I am lacking knowledge when it comes to certificates, in general. Sofar, I got along with selfsigned certificates that I did generate with the help of all those numerous howtos one can find. It worked.
If I do remember correctly, and if I do understand your conclusions in other mails correctly, long lasting selfsigned certificates plus periodically rotated TLSAs are still a good basis to run a secured mailserver at port 25. (FYI: I am using opendnssec for rotating every 3 month.)
After having read this best practice document, I am still hesitant to deploy a LE certificate to my mailserver's domain, because I do not understand all the implications, yet.
Thus I would like to raise some newbie questions regarding the following project:
mailserver: mx.example.org with TLSA 3 1 1
IMAP server: mail.example.org
#) Would it be possible to get *two* distinct LE certificates, one for the IMAP and one for the webserver ..
#) .. and simultaneously *keep* my selfsigned certificate for the the mailserver ..
#) .. and forget about the issues mentioned above?
#) Or should I strictly separate my mailserver from the rest by means of distinct domains, instead?
Excuses in advance if this are silly questions, but as I mentioned above, I am lacking skills w.r.t. certificates.
Thanks un advance and regards,
More information about the dane-users