I did a lot of research on this but still I am confused about how many certificates I need to self-sign for each of my services running on my private server. Here is the deal:
I am creating my own server on raspberry Pi (raspbian~debian) to run my own VPN server, a calendar/contact server (Darwin) and probably in the future an e-mail server and a web server.
First I have configured the openvpn server with easy RSA (client authenticates with key and password: following this tutorial). Of note, easy RSA seems to be related to openVPN.
Now, I need to set up the calendar server and force TLS connections for security. But I am not sure, if I need to self-sign another certificate or simply reuse old ones. This time client will only authenticate with a password. Do I a different self signed certificate for each service?
There is also the ssl-cert-snakeoil.key, which I could be using or not?
Answer
A SSL certificate, is basically telling the remote, that the IP or DNS name they’ve connected to, have a public-private key setup, and that the public-key is “signed” by some certificate authority (CA) as belonging to that service on that DNS name or IP address.
A Certificate could (lately) include subjectAlternateNAmes (SANs) stating that the certificate is also valid for several other DNS names or IP numbers.
Now back to your question: If all the services are on the same name (ie. “myhost.dyn-provider.net”) then a single certificate for myhost.dyn-provider.net is all you need.
However, if you need it for mywww.dyn-provider.net (HTTPS), mycal.dyn-provider.net (iCal), mysmtp.dyn-provider.net (Email) and myftps.dyn-provider.net (FTPS) etc., then you will either need a certificate for each of those servers, or you could generate a single certificate with the extra SAN/subjectAlternateName entries (google for that, easyrsa 3.0.x also have help on that: easyrsa help altname for more info)
Attribution
Source : Link , Question Author : Saren Tasciyan , Answer Author : Hvisage
