[TriLUG] [Maybe OT]: SSL certificates
Joseph Tate
jtate at dragonstrider.com
Wed Sep 3 13:56:02 EDT 2003
ryan wheaton wrote:
> It's only maybe OT cause I'm using apache on linux servers :-)
>
> but... i'm new to SSL certificates, and was wondering if there was a
> way to get a site wide SSL certificate instead of having one per
> machine. We're going to have a web server environment with multiple
> servers behind a load balancer, and we don't want our customers to
> have to accept a certificate 4 or 5 times depending on which machine
> they hit on that particular occasion.
> i was thinking that I could just do a DNS round robin set up as a
> "load balancer" so that the user hit the same machine every time they
> goto the site, that way we can have one certificate per machine and
> our users will only have to accept it once.
> any idears on this?
>
> -ryan
>
I think that's the way to go. There is such a thing as a wild card
certificate, but they're still sold on a per machine basis. If you're
not going to go through Verisign or Thawte or Geotrust or any of the
other certifiers, you could sign all your keys using a self signed CA
certificate, and have all your users import that CA certificate. I.e.
all my users go to http://www.dragonstrider.com/security/cacert.pem
import the CA required to trust the certificates on
https://www.dragonstrider.com as well as to use IMAPS or POP3S services
though those services use separate certificates.
The openssl docs can help you on the exact sequence and commands required.
Joseph
More information about the TriLUG
mailing list