Re: create keys and certificates for postfix/tls

[Lucius Rizzo <lucius.rizzo%mail.edu.ky@localhost>]

Hi,

I am currently using free certificates from StartSSL.

I looked at letsencrypt, but I couldn't make any sense of it - can somebody
explain (from an admin point of view) how that is supposed to work?

https://letsencrypt.org/how-it-works/

Letsencrypt automates ssl certificate creation and signing. It's a bash/zsh script that can launched via cron and it authenticates the domain via dns or http (in my case http with Nginx). Domains can be added with a -d on command line. Resigning is automated and easy. The sym links in /etc/letsencrypt/ allows you to point to working pem and private key file. Eg sendmail, Nginx, dovecot.

It took me about a couple of hours to get it working on FreeBSD. As beta is now open to all, you can generate any amount of ssl certificates. 

Of course I will NOT install arbitrary 3rd party server side software
(where my server OS isn't even officially supported) to handle
important things like certificate renewals when it is a very simple
task to do just once a year.

Slight overreaction? A cron script every 90 days. Not really hard. There is a lot of pros to use a verified ssl certificates for www, smtp (starttls - as a client or server) and imaps 

Pros: It means that all clients to the server don't have to install your self signed. In my case, the hybrid nature of our relationship with office 365 allows the sendmail gateway to send all outgoing mail to office 365 and its verified by the ssl cn of the sendmail server. Really cool!

Given all the hype about it, I am sure I must be missing something.

Yes absolutely! You need to use it and then realize why the hype surrounding this product. And it's merited hype imho. 

Ssl certificate market for plain certain is rightly doomed with this technology