LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] Re: summary ? - SSL certs on clusters

[ILUG] Re: summary ? - SSL certs on clusters

Colm Buckley colm at tuatha.org
Fri Jan 9 15:25:31 GMT 2004 

> Thanks all, so in summary, is this correct?

> 1) Technically as long as a the requested fqdn is the same, 1+ servers 
> can
> use the same cert.
>
> 2) Some of the certificate providers require you purchase separate 
> cert of
> each physical machine. Who are the non greedy providers?

Not quite; you only buy one cert, as with (1), but you buy additional 
"server licenses" for that certificate.  These are usually cheaper than 
full certificates.

> Using 2) I need to purchase 3 certs using server1.mydomain.com,
> server2.mydomain.com, serverN.mydomain.com as FQDNs.

No, you buy a cert for www.mydomain.com, and copy it to all N servers.

> If I have a multiple sites on serverN.mydomain.com, in addition to
> mydomain.com, and using host headers, does that cause any problems?

You cannot use 'name virtual sites' (host headers) with HTTPS; the 
reason being that the certificates are exchanged and verified *before* 
the HTTP request is sent.  You associate each SSL certificate with a 
unique IP address (well, a unique IP/port combination, but we're almost 
always talking port 443 here).

If you want to host multiple SSL sites on the same server, they each 
need a unique external IP address.  A common solution is to have a 
unique external IP address for each SSL site, but mapped to different 
ports on the internal systems behind the LB - eg:

site1.mydomain.com:443 -> server{1..N}.internal.mydomain.com:9000
site2.mydomain.com:443 -> server{1..N}.internal.mydomain.com:9001
site3.mydomain.com:443 -> server{1..N}.internal.mydomain.com:9002

... and you associate the SSL cert for site1 with port 9000 on the 
internal machines, site2 with port 9001, and so on.  This avoids having 
to allocate internal IP addresses for each site * each server.

Non-greedy providers...  hum.  I don't think Geotrust charge a 
per-server fee, and they're way cheaper than Verisign in any case.  
Their verification isn't as strong as Verisign's, though - they still 
provide secure communications, but they don't check as rigorously as 
Verisign that you are you you claim to be.

	Colm

-- 
Colm Buckley / colm at tuatha.org / +353 87 2469146 / www.colm.buckley.name

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell