[TriLUG] SSL Certs

Steve Hoffman srhoffman at gmail.com
Fri Oct 22 15:55:42 EDT 2004 

> As Tanner already suggested, you don't need two certificates most
> likely, assuming the hostname is the same from the outside.  One
> certificate set to that host name should work fine.  You'll just do the
> set up on one of the boxes, and copy over everything to the other
> machine.

Just to be sure, when everyone says hostname, they mean the host
header and not machine name right?  I use hostname/machine name
interchangably (perhaps incorrectly).

The machines would be node1.domain.com and node2.domain.com, but the
app is at app.domain.com which each machine will serve (and nothing
else)....the app.domain.com is what everyone is referring to when they
say hostname, right?
 
> Another thing to think about is if the Cisco Local Director can support
> SSL on that box itself. I don't know much about this particular
> equipment, but I understand that some load-balancing hardware can host
> the SSL certificate on the balancer itself, and then forward the HTTP
> requests on to the internal machines.  (In this sense it is acting as a
> reverse proxy server of sorts.)  This off-loads the SSL processing from
> your machines, allowing them to spend more CPU cycles on the actual
> application.  The machines just see "normal" port 80 requests in this
> case.

I've tried time and time again to get the latest software from cisco
for the LD.  It's since been disco'd, and no matter how hard I try I
can't get the last release of the software (v4), we were willing to
spend the $$, but could find a vendor who could get the product #
cisco swore I needed.  Anyway, what you suggest would be ideal, but
the version we're currently using doesn't support this, only ssl pass
through.  Can't have it all...

Thanks for all the comments, I did talk to verisign (who's
outrageously overpriced by the way) and they have a 30 return policy
so they said I could buy it, then return it for the linux equivalent,
but that seems like more trouble the it's worth to just wait for the
new machines, I passed that info on to mgmt and they agreed.  So look
for another post when the new machines get here and I'm pulling my
hair out trying to get my cert :-)
 
Steve

More information about the TriLUG mailing list