So far I'm using self-signed certificates, but decided to at least consider getting the "real" one.
So far I noticed that internal formats of the certificated are a bit different, that is:
- http (nginx) certificate has only CERTIFICATE part (with base64 encoded content) and KEY with also only base64 content
- smtp (exim) crt file contains certificate textual information (issuer, subject, algorithm, dates, and so on), plus CERTIFICATE block with base64 data, while the .key file for exim contains only base64 encoded key
- imap/pop3 (courier) .pem file contains key (base64), certificate info (textual), and certificate itself (base64).
Can I get any "web" certificate from thawte or some company like this, and from this (and key file) generate all formats that I need for nginx, exim4 and courier, or do I need to get separate certificates, or is it something else entirely?
The short answer is that yes a single certificate can be used for all those services.
The key and certificate can be stored in many formates, and using the openssl tool you can convert your key and certificate to other formats.
The real barrier is can you get a certificate that is valid for all the names that you wish to use. For your web you might want to use www.example.com, and for your mail you might want to use mail.example.com. You can get a wildcard or SAN certificate that will cover lots of names, but these cost more. It may be cheaper to get a couple individual certificates. The prices for different certs are different, so take some time and work out which will be cheaper in your case.
Generally speaking, yes, although it can take a bit of work with various tools to convert the cert into the right format. I've used the same SSL cert with apache, dovecot (imaps) and postfix (for TLS).
openssl (along with simply cat'ing together the cert and key into the same file) has provided what I needed to do that.
Specifics vary, but I'm strongly of the opinion that you can in fact convert a signed ssl cert into whatever format you need, and I'm not aware of any exceptions in the use cases you mention.
We are currently using wildcard certificate for all our services. As folks already mentioned all you need is openssl in order to convert it into formats required by your applications. So far we are using it for Apache httpd, OpenLDAP and mail (Zimbra). We used to buy certificates from Thawte but for this one we went with GoDaddy - it is way cheaper.