[TriLUG] SSL Certs

Joseph Tate dragonstrider at gmail.com
Fri Oct 22 15:20:27 EDT 2004 

Thawte at least lets you download the appropriate certificate for the
server involved.  There's an option for the format that you download,
and while that cert is valid, it will allow you to redownload your
public cert in whatever format you want.

As for multiple certs: make sure you have the same hostname and you'll
be fine.  I think if you actually research wildcard certs that they
are prohibitively expensive unless you're dealing with a serverfarm as
they're still "licensed" per machine.

Joseph


On Fri, 22 Oct 2004 15:13:50 -0400 (EDT), Matt Pusateri
<mpusateri at wickedtrails.com> wrote:
> On Fri, October 22, 2004 2:55 pm, Tanner Lovelace said:
> ><SNIP>
> >> First of all, the app servers are currently windows (I know..), but
> >> they'll be replaced in a month or two with two brand spaking new
> >> Dell
> >> poweredge 1750, RHEL3 boxes running jboss, and being load balanced
> >> by
> >> a Cisco Local Director.
> >>
> >> I already figured we'd need a wildcard cert because of the load
> >> balancing and two machines serving the same webaddress, (is this a
> >> correct assumption?), but if I buy the certs now won't I just have
> >> to
> >> re-purchase new ones for the Linux boxes?  I guess what I'm asking
> >> is
> >> are the certificates OS independant, one version for win and another
> >> for lin?
> >
> > Excellent question, Steve.  To answer your last question first, yes,
> > SSL certificates are (afaik) OS independent.  You should be able
> > to use the same certificate on either windows or linux.  The way you
> > install and use the certificate will be different, but the certificate
> > itself
> > should be the same.
> >
> 
> Hm, having bought Certificates for both.  I believe they are indeed
> different, not that they should be.  I always thought MS did their
> cert slightly different than OpenSSL.  I know the Thawte certs I
> bought always wanted me to pick when ordering which type of server you
> want the cert to end up on.  My recommendation if the CA says they are
> different and I think they are, then most likely they will want you to
> pay to change the cert to the other format.  Can you self sign the
> certs on the windows boxes until the Dell's come in and then when you
> rollout the Dell's use real certs?  Also I believe if you mention to
> the CA that it will be multiple servers, they will want you to get a
> wildcard cert as they want you to buy multiple certs.  Also one of the
> things the CA will want to do is do a hostname lookup on your server
> to make sure it resolves properly.  This is two fold.  One to validate
> that you are doing what you say you are doing.  And Two, to make sure
> you are not using multiple machines.
> 
> Matt Pusateri
> 
> 
> 
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
> 


-- 
Joseph Tate
Personal e-mail: jtate AT dragonstrider DOT com
Web: http://www.dragonstrider.com

More information about the TriLUG mailing list