[TriLUG] [Maybe OT]: SSL certificates

Jon Carnes jonc at nc.rr.com
Wed Sep 3 14:47:16 EDT 2003 

I've just setup a client for using his own CA and wrote out the specs in
a how-to like fashion.  If you want, I'll be happy to share them (with
the client specifics removed).

If you are doing DNS round-robin then that is going to be the best way
of doing SSL - unless you simply use a separate host name for the SSL
and only have it done on one server.

When I set this up for a former employer, I used the LVS to front-end
for several back-end servers, including servers running SSL.  The
front-end was all one IP Address so we only needed one cert, and then we
put that cert on each of the back-end boxes.  That was years ago and
it's still up and running without any problems.  

The nice thing about using the LVS was that you could maintain state
(the end-user would end up at the same back-end server as long as they
made a request before a specific time-out period), but if the server
went down, they were transparently shuttled to a new server.  

I don't think you get that with a DNS-round-robin; but it is a simpler
setup.

Jon

On Wed, 2003-09-03 at 13:56, Joseph Tate wrote:
> ryan wheaton wrote:
> 
> > It's only maybe OT cause I'm using apache on linux servers :-)
> >
> > but...  i'm new to SSL certificates, and was wondering if there was a 
> > way to get a site wide SSL certificate instead of having one per 
> > machine.  We're going to have a web server environment with multiple 
> > servers behind a load balancer, and we don't want our customers to 
> > have to accept a certificate 4 or 5 times depending on which machine 
> > they hit on that particular occasion.
> > i was thinking that I could just do a DNS round robin set up as a 
> > "load balancer" so that the user hit the same machine every time they 
> > goto the site, that way we can have one certificate per machine and 
> > our users will only have to accept it once.
> > any idears on this?
> >
> > -ryan
> >
> I think that's the way to go.  There is such a thing as a wild card 
> certificate, but they're still sold on a per machine basis.  If you're 
> not going to go through Verisign or Thawte or Geotrust or any of the 
> other certifiers, you could sign all your keys using a self signed CA 
> certificate, and have all your users import that CA certificate.  I.e. 
> all my users go to http://www.dragonstrider.com/security/cacert.pem
> import the CA required to trust the certificates on  
> https://www.dragonstrider.com as well as to use IMAPS or POP3S services 
> though those services use separate certificates.
> 
> The openssl docs can help you on the exact sequence and commands required.
> 
> Joseph

More information about the TriLUG mailing list