[TriLUG] SSL Certs

Tanner Lovelace clubjuggler at gmail.com
Fri Oct 22 14:55:53 EDT 2004 

On Fri, 22 Oct 2004 14:29:06 -0400, Steve Hoffman <srhoffman at gmail.com> wrote:
> Ok, I don't claim to be any security expert, and it will probably show
> in this message, please keep the teasing to a minimum <but feel free
> to tease!>

Twist our arms. :-P
 
> I've never done a truly official SSL site, I've always generated a
> self signed cert for personal use.  Well I now need to BUY a cert for
> our web-app, sounds easy right?  Gets better.

Not too hard at least.

> First of all, the app servers are currently windows (I know..), but
> they'll be replaced in a month or two with two brand spaking new Dell
> poweredge 1750, RHEL3 boxes running jboss, and being load balanced by
> a Cisco Local Director.
> 
> I already figured we'd need a wildcard cert because of the load
> balancing and two machines serving the same webaddress, (is this a
> correct assumption?), but if I buy the certs now won't I just have to
> re-purchase new ones for the Linux boxes?  I guess what I'm asking is
> are the certificates OS independant, one version for win and another
> for lin?

Excellent question, Steve.  To answer your last question first, yes,
SSL certificates are (afaik) OS independent.  You should be able
to use the same certificate on either windows or linux.  The way you
install and use the certificate will be different, but the certificate itself
should be the same.

You mention needed a wildcard certificate.  I don't think you do.
Will both machines be responding to the same hostname?  If so,
then you're golden.  Certificates are issued by hostname and have
no IP addresses associated with them.  As long as the user is going
to a particular name (for instance www.trilug.org) and the SSL 
certificate responds with that hostname (www.trilug.org) everything
is good.  It doesn't matter which machine responds or what IP
address it responds from, just as long as those two pieces of 
information match.

Now, you didn't ask this, but I'll through it out anyway.  I'm in the
same boat you are having done self-signed certificates for many
years and now looking into getting a non-self-signed cert.  I'm
looking at getting one at http://www.freessl.com/.  Their certificates
work in any modern browser (i.e. not in Netscape 4.x or IE 4.x)
and are very reasonably priced.  They'll also give you a 30 day
certificate for free so you can test your setup.  I have no affiliation
with them except that I got one of the free 30 day certs from them
this week.

Good luck,
Tanner

More information about the TriLUG mailing list