Change to support SSL-cert per domain & add sha256 certs

[taoeffect]

Currently Sovereign/Empress only support one wildcard cert for a single domain.

We should instead support one wildcard cert per domain. A single server can have multiple domains that it's managing email for, and each of those will have a different domain.

Obviously, we should also do SHA256 hashes.

Here's how to do a self-signed wildcard cert w/sha256:

1. Copy one of these files:

/usr/lib/ssl/openssl.cnf
/usr/share/doc/dovecot-core/dovecot/dovecot-openssl.cnf
/usr/share/dovecot/openssl.cnf

Edit: some research needs to be done to decide which one.

2. Make sure it has the following sections in it

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[ alt_names ]

DNS.1 = {{ domain }}
DNS.2 = mail.{{ domain }}

EDIT: An alternative is to include all the domains as alt_names, and use a single SSL cert...

3. Create self-signed wildcard cert for the domain

# openssl genrsa 2048 > {{ domain }}.key
# openssl req -new -out {{ domain }}.csr -key ./{{ domain }}.key -config ../openssl.cnf -sha256
# openssl x509 -req -days 1460 -in {{ domain }}.csr -signkey ./{{ domain }}.key -sha256 -out {{ domain }}-wildcard-ss.pem -extensions v3_req -extfile openssl.cnf
# openssl x509 -fingerprint -text -noout < {{ domain }}-wildcard-ss.pem > {{ domain }}-wildcard-ss.pem.info

For StartSSL signed certs

If they go with StartSSL, they do something similar to the above, except after generating the CSR they give it to StartSSL and then download their public cert, plus StartSSL's intermediate cert, and then do:

# cat {{ domain }}.pem sub.class1.server.ca.pem > {{ domain }}-unified.crt
# openssl x509 -fingerprint -text -noout < {{ domain }}-unified.crt > {{ domain }}-unified.crt.info

--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/5862489-change-to-support-ssl-cert-per-domain-add-sha256-certs?utm_campaign=plugin&utm_content=tracker%2F8064840&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F8064840&utm_medium=issues&utm_source=github).

[taoeffect]

Note also that StartSSL supports only one free subdomain per domain per certificate, however they do not restrict the number of certs you create, so it's effectively a free wildcard if you're willing to go through the steps above for each subdomain you want.

[taoeffect]

Am reading the following:

• http://www.postfix.org/TLS_README.html See especially " Secure server certificate verification" section
• https://serverfault.com/questions/583739/startssl-com-ssl-class2-certificate-and-postfix

It's looking like this might have to be done completely through the alt_names, but I could use an extra set of eyes/brains.

[taoeffect]

In that first link they say that Postfix doesn't support SNI. We'll need to evaluate whether the workaround they mention is acceptable. If it's not we will have to ditch Postfix.

[taoeffect]

Err, OK, skimming it a bit more closely, that stuff is only relevant when you're actually doing TLS authentication, which our current level may does not do.

At the verify and secure levels, things get more hairy, and that's where this multiple-domains SNI stuff might become an issue.

[taoeffect]

@PiPeep points out that MTAs don't verify certs right now anyway, and that going to a CA is pretty much unacceptable from a usability standpoint, so we should probably just stick to a wildcard cert for this.

Am tempted to close the issue.

[taoeffect]

With having to support multiple email domains, @PiPeep rightly, and painfully, observes that it actually seems like the "correct" route to generate one self-signed cert for all the domains on the box, and the CN (common name) doesn't matter.