On 03/11/2015 16:19, Jeremy Harris wrote:
> On 03/11/15 16:05, Ian Eiloart wrote:
>>> On 3 Nov 2015, at 14:52, Jon Gerdes <gerdesj@???> wrote:
>>>
>>> Generating a self signed certificate at install time could be fraught
>>> with problems: what if there is an insecure OpenSSL/LibreSSL/whatever
>>> library installed and used?
>> Rather than use a self-signed certificate, why not use LetsEncrypt.org to get a free domain bound certificate with widespread trust anchors?
>> https://letsencrypt.org/getinvolved/
>
> https://community.letsencrypt.org/t/frequently-asked-questions-faq/26
>
>> Can I use certificates from Let’s Encrypt for code signing or email
>> encryption?
>>
>> No. Email encryption and code signing require a different type of
>> certificate than Let’s Encrypt will be issuing.
> Not especially encouraging.
They're talking about email encryption a la PGP by the MUA. Not
transport encryption between MTAs. They generate exactly the sort of
certificate you need for that. All you need is that the DNS entry for
the host points to the machine requesting the cert, IIRC.
Mike
