Author: Sander Smeenk Date: To: exim-users mailling list Subject: Re: [Exim] Do I use the same TLS certificate on all my hosts?
Quoting Andre Grueneberg (andre@???):
> > Im am implementing TLS on my internet mail gateways.
> > Do I use the same TLS certificate on all my servers, or is it best-practice
> > to create unique certificates on each server.
> It depends on whether these hosts serve under the same name or not. The
> certificate's ID shall be the same as the hostname the client connects
> to.
Besides that, a certificate is to make it harder to snif transmitted
emails AND to establish some sort of 'trust' (when using real
certificates issued by official Certificate Signing Authorities, but you
said you're using self-made certificates).
So just the encryption part remains. Think of what happens when I get my
hands on your private key, I can theoretically sniff all traffic
generated by any of your servers and decrypt it and still read all your
email.
While if you use different certificates on each server, I can only
decrypt one server's traffic.
I'd say create unique certs for every server.
That IS the whole idea behind it... Unique identification & encryption.
Sander.
-- | A box withouth hinges, key, or lid, yet golden treasure inside is hid.
| 1024D/08CEC94D - 34B3 3314 B146 E13C 70C8 9BDB D463 7E41 08CE C94D
