[TriLUG] [Maybe OT]: SSL certificates

Ken Mink kmtrilug at nc.rr.com
Thu Sep 4 13:12:28 EDT 2003


I'd like to second Jon's vote for LVS. At a former employer, we used a
setup identical to the one Jon described. We obtained one certificate
for the IP address we exposed in LVS and then installed it on all the
web servers behind it. It worked fine. It is no longer is use as the
company was bought and the new owners were a M$ shop. I did not go to
the new company.

Ken

On Wed, 2003-09-03 at 14:47, Jon Carnes wrote:
> I've just setup a client for using his own CA and wrote out the specs in
> a how-to like fashion.  If you want, I'll be happy to share them (with
> the client specifics removed).
> 
> If you are doing DNS round-robin then that is going to be the best way
> of doing SSL - unless you simply use a separate host name for the SSL
> and only have it done on one server.
> 
> When I set this up for a former employer, I used the LVS to front-end
> for several back-end servers, including servers running SSL.  The
> front-end was all one IP Address so we only needed one cert, and then we
> put that cert on each of the back-end boxes.  That was years ago and
> it's still up and running without any problems.  
> 
> The nice thing about using the LVS was that you could maintain state
> (the end-user would end up at the same back-end server as long as they
> made a request before a specific time-out period), but if the server
> went down, they were transparently shuttled to a new server.  
> 
> I don't think you get that with a DNS-round-robin; but it is a simpler
> setup.
> 
> Jon
> 
> On Wed, 2003-09-03 at 13:56, Joseph Tate wrote:
> > ryan wheaton wrote:
> > 
> > > It's only maybe OT cause I'm using apache on linux servers :-)
> > >
> > > but...  i'm new to SSL certificates, and was wondering if there was a 
> > > way to get a site wide SSL certificate instead of having one per 
> > > machine.  We're going to have a web server environment with multiple 
> > > servers behind a load balancer, and we don't want our customers to 
> > > have to accept a certificate 4 or 5 times depending on which machine 
> > > they hit on that particular occasion.
> > > i was thinking that I could just do a DNS round robin set up as a 
> > > "load balancer" so that the user hit the same machine every time they 
> > > goto the site, that way we can have one certificate per machine and 
> > > our users will only have to accept it once.
> > > any idears on this?
> > >
> > > -ryan
> > >
> > I think that's the way to go.  There is such a thing as a wild card 
> > certificate, but they're still sold on a per machine basis.  If you're 
> > not going to go through Verisign or Thawte or Geotrust or any of the 
> > other certifiers, you could sign all your keys using a self signed CA 
> > certificate, and have all your users import that CA certificate.  I.e. 
> > all my users go to http://www.dragonstrider.com/security/cacert.pem
> > import the CA required to trust the certificates on  
> > https://www.dragonstrider.com as well as to use IMAPS or POP3S services 
> > though those services use separate certificates.
> > 
> > The openssl docs can help you on the exact sequence and commands required.
> > 
> > Joseph
-- 
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."--Benjamin Franklin
" 'Necessity' is the plea for every infringement of human liberty; it
is the argument of tyrants; it is the creed of slaves."--William Pitt 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://www.trilug.org/pipermail/trilug/attachments/20030904/f40a2a58/attachment.pgp>


More information about the TriLUG mailing list