[TriLUG] [Maybe OT]: SSL certificates

Ryan Leathers ryan.leathers at globalknowledge.com
Thu Sep 4 08:51:30 EDT 2003 

Jon,

I for one would love to see anything you have written.

On Wed, 2003-09-03 at 14:47, Jon Carnes wrote:
> I've just setup a client for using his own CA and wrote out the specs in
> a how-to like fashion.  If you want, I'll be happy to share them (with
> the client specifics removed).
> 
> If you are doing DNS round-robin then that is going to be the best way
> of doing SSL - unless you simply use a separate host name for the SSL
> and only have it done on one server.
> 
> When I set this up for a former employer, I used the LVS to front-end
> for several back-end servers, including servers running SSL.  The
> front-end was all one IP Address so we only needed one cert, and then we
> put that cert on each of the back-end boxes.  That was years ago and
> it's still up and running without any problems.  
> 
> The nice thing about using the LVS was that you could maintain state
> (the end-user would end up at the same back-end server as long as they
> made a request before a specific time-out period), but if the server
> went down, they were transparently shuttled to a new server.  
> 
> I don't think you get that with a DNS-round-robin; but it is a simpler
> setup.
> 
> Jon
> 
> On Wed, 2003-09-03 at 13:56, Joseph Tate wrote:
> > ryan wheaton wrote:
> > 
> > > It's only maybe OT cause I'm using apache on linux servers :-)
> > >
> > > but...  i'm new to SSL certificates, and was wondering if there was a 
> > > way to get a site wide SSL certificate instead of having one per 
> > > machine.  We're going to have a web server environment with multiple 
> > > servers behind a load balancer, and we don't want our customers to 
> > > have to accept a certificate 4 or 5 times depending on which machine 
> > > they hit on that particular occasion.
> > > i was thinking that I could just do a DNS round robin set up as a 
> > > "load balancer" so that the user hit the same machine every time they 
> > > goto the site, that way we can have one certificate per machine and 
> > > our users will only have to accept it once.
> > > any idears on this?
> > >
> > > -ryan
> > >
> > I think that's the way to go.  There is such a thing as a wild card 
> > certificate, but they're still sold on a per machine basis.  If you're 
> > not going to go through Verisign or Thawte or Geotrust or any of the 
> > other certifiers, you could sign all your keys using a self signed CA 
> > certificate, and have all your users import that CA certificate.  I.e. 
> > all my users go to http://www.dragonstrider.com/security/cacert.pem
> > import the CA required to trust the certificates on  
> > https://www.dragonstrider.com as well as to use IMAPS or POP3S services 
> > though those services use separate certificates.
> > 
> > The openssl docs can help you on the exact sequence and commands required.
> > 
> > Joseph
-- 
Ryan Leathers <ryan.leathers at globalknowledge.com>
Global Knowledge
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://www.trilug.org/pipermail/trilug/attachments/20030904/27873d19/attachment.pgp>

More information about the TriLUG mailing list