I just finished passing all my domains into https (thanks a lot let’s encrypt) and as everything goes well I would like to go further with a cerificat mail.
Currently I have used certbot certonly --webroot -w / var / www / example / -d www.example.com -d example.com
That depends. Do you want a separate, new certificate, just for mail.example.com?
What do you mean with "data"? E-mails? Let's Encrypt certificates can be used to encrypt all kinds of TLS connections/services. It doesn't matter if the service is a webserver, a XMPP server or a mail server.
Does your mail.example.com have an Apache VirtualHost? For example, for webmail or something like that. You can only use the --webroot method if you can actually serve files on the hostname in question.
In particular for email there are two quite different types of encryption technology.
One is use of TLS to protect email traffic between computers over the network. This works much the same way as HTTPS which also uses TLS. Let’s Encrypt certificates are good for this purpose & I commend it. If your mail servers are known by different names to the web servers, they will need certificates matching those names.
The other use is S/MIME which encrypts email messages themselves to ensure only the intended recipient can read them. This is less common & Let’s Encrypt certificates are not suitable because they certify DNS names, not email addresses which is a whole separate thing.
If that is possible, yes I would rather just have a new certificate, but I did not know it was possible.
Currently I am looking at cert-cert-name example.org, www.example.org, certbot certonly --cert-name mail.example.org as indicated in the documentation or with option certbot certonly - -expand --webroot.
But it would be much better to be able to split completely.
I’m in production.
For encryption, I was actually talking about message encryption with key exchange.
For the encryption part I assume that this is obvious if let’s encrypt issues the certificate.
Thank’s for the réponse, yes I spoke well “S/MIME which encrypts email messages themselves”.
But this is not currently mandatory, it was to foresee for the future.
So now I’m sure I can offer this option to the client via let’s encrypt.
thank you very much
Not S/MIME you can't. Only the connections to the mail server through TLS.
That's perfectly possible. You can actually generate quite a few certificates for a single domain name. See the rate limits page for more info, but 2 certificates is fine.
I would suggest you generate a very simple mail.example.com VirtualHost (i.e.: site) in Apache. It doesn't actually have to contain any content, as long as it will serve files from /path/to/the/webroot/.well-known/acme-challenge/, just as any site which is used with the --webroot command.