[TriLUG] [Maybe OT]: SSL certificates

ryan wheaton ryan.wheaton at comcast.net
Thu Sep 4 13:53:22 EDT 2003


Thanks for all the responses.  Looks like LVS is probably what we're 
going to do.  The documentation on the LVS website looks pretty good 
too, but Jon, if you'd like to hand over your notes, I'm sure those 
would be helpful as well :-)

-ryan

Ken Mink wrote:

>I'd like to second Jon's vote for LVS. At a former employer, we used a
>setup identical to the one Jon described. We obtained one certificate
>for the IP address we exposed in LVS and then installed it on all the
>web servers behind it. It worked fine. It is no longer is use as the
>company was bought and the new owners were a M$ shop. I did not go to
>the new company.
>
>Ken
>
>On Wed, 2003-09-03 at 14:47, Jon Carnes wrote:
>  
>
>>I've just setup a client for using his own CA and wrote out the specs in
>>a how-to like fashion.  If you want, I'll be happy to share them (with
>>the client specifics removed).
>>
>>If you are doing DNS round-robin then that is going to be the best way
>>of doing SSL - unless you simply use a separate host name for the SSL
>>and only have it done on one server.
>>
>>When I set this up for a former employer, I used the LVS to front-end
>>for several back-end servers, including servers running SSL.  The
>>front-end was all one IP Address so we only needed one cert, and then we
>>put that cert on each of the back-end boxes.  That was years ago and
>>it's still up and running without any problems.  
>>
>>The nice thing about using the LVS was that you could maintain state
>>(the end-user would end up at the same back-end server as long as they
>>made a request before a specific time-out period), but if the server
>>went down, they were transparently shuttled to a new server.  
>>
>>I don't think you get that with a DNS-round-robin; but it is a simpler
>>setup.
>>
>>Jon
>>
>>On Wed, 2003-09-03 at 13:56, Joseph Tate wrote:
>>    
>>
>>>ryan wheaton wrote:
>>>
>>>      
>>>
>>>>It's only maybe OT cause I'm using apache on linux servers :-)
>>>>
>>>>but...  i'm new to SSL certificates, and was wondering if there was a 
>>>>way to get a site wide SSL certificate instead of having one per 
>>>>machine.  We're going to have a web server environment with multiple 
>>>>servers behind a load balancer, and we don't want our customers to 
>>>>have to accept a certificate 4 or 5 times depending on which machine 
>>>>they hit on that particular occasion.
>>>>i was thinking that I could just do a DNS round robin set up as a 
>>>>"load balancer" so that the user hit the same machine every time they 
>>>>goto the site, that way we can have one certificate per machine and 
>>>>our users will only have to accept it once.
>>>>any idears on this?
>>>>
>>>>-ryan
>>>>
>>>>        
>>>>
>>>I think that's the way to go.  There is such a thing as a wild card 
>>>certificate, but they're still sold on a per machine basis.  If you're 
>>>not going to go through Verisign or Thawte or Geotrust or any of the 
>>>other certifiers, you could sign all your keys using a self signed CA 
>>>certificate, and have all your users import that CA certificate.  I.e. 
>>>all my users go to http://www.dragonstrider.com/security/cacert.pem
>>>import the CA required to trust the certificates on  
>>>https://www.dragonstrider.com as well as to use IMAPS or POP3S services 
>>>though those services use separate certificates.
>>>
>>>The openssl docs can help you on the exact sequence and commands required.
>>>
>>>Joseph
>>>      
>>>




More information about the TriLUG mailing list