Add a subdomain to an existing certificate for mail


#1

Hello everyone,

I just finished passing all my domains into https (thanks a lot let’s encrypt) and as everything goes well I would like to go further with a cerificat mail.

Currently I have used certbot certonly --webroot -w / var / www / example / -d www.example.com -d example.com

How do I add mail.example.com?

Can I use this certificate to encrypt data?

Thank you in advance for your help

I ran this command:certbot certonly --webroot

My operating system is (include version):debian 8

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no


#2

That depends. Do you want a separate, new certificate, just for mail.example.com?

What do you mean with “data”? E-mails? Let’s Encrypt certificates can be used to encrypt all kinds of TLS connections/services. It doesn’t matter if the service is a webserver, a XMPP server or a mail server.

Does your mail.example.com have an Apache VirtualHost? For example, for webmail or something like that. You can only use the --webroot method if you can actually serve files on the hostname in question.


#3

In particular for email there are two quite different types of encryption technology.

One is use of TLS to protect email traffic between computers over the network. This works much the same way as HTTPS which also uses TLS. Let’s Encrypt certificates are good for this purpose & I commend it. If your mail servers are known by different names to the web servers, they will need certificates matching those names.

The other use is S/MIME which encrypts email messages themselves to ensure only the intended recipient can read them. This is less common & Let’s Encrypt certificates are not suitable because they certify DNS names, not email addresses which is a whole separate thing.


#4

Hello Osiris (Pretty nickname)

Thanks for the quick response

If that is possible, yes I would rather just have a new certificate, but I did not know it was possible.
Currently I am looking at cert-cert-name example.org, www.example.org, certbot certonly --cert-name mail.example.org as indicated in the documentation or with option certbot certonly - -expand --webroot.
But it would be much better to be able to split completely.

I’m in production.

For encryption, I was actually talking about message encryption with key exchange.
For the encryption part I assume that this is obvious if let’s encrypt issues the certificate.


#5

Hello Tialaramex,

Thank’s for the réponse, yes I spoke well “S/MIME which encrypts email messages themselves”.

But this is not currently mandatory, it was to foresee for the future.
So now I’m sure I can offer this option to the client via let’s encrypt.
thank you very much


#6

Not S/MIME you can’t. Only the connections to the mail server through TLS.

That’s perfectly possible. You can actually generate quite a few certificates for a single domain name. See the rate limits page for more info, but 2 certificates is fine.

I would suggest you generate a very simple mail.example.com VirtualHost (i.e.: site) in Apache. It doesn’t actually have to contain any content, as long as it will serve files from /path/to/the/webroot/.well-known/acme-challenge/, just as any site which is used with the --webroot command.


#7

Thanks to Osiris and sorry for the error “can” “can not” The answer of Tialaramex was very explicit and I answer too quickly and forgot the “t”

I think I’ll try your proposal, in order to split the two.

Thank you again to both of you and all my congratulations to the team of let’s encrypt for their tremendous work.

cordially


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.