[TriLUG] SSL Certs

Jeremy Portzer jeremyp at pobox.com
Fri Oct 22 15:29:41 EDT 2004


On Fri, 2004-10-22 at 14:29, Steve Hoffman wrote:

> First of all, the app servers are currently windows (I know..), but
> they'll be replaced in a month or two with two brand spaking new Dell
> poweredge 1750, RHEL3 boxes running jboss, and being load balanced by
> a Cisco Local Director.
> 
> I already figured we'd need a wildcard cert because of the load
> balancing and two machines serving the same webaddress, (is this a
> correct assumption?), but if I buy the certs now won't I just have to
> re-purchase new ones for the Linux boxes?  I guess what I'm asking is
> are the certificates OS independant, one version for win and another
> for lin?
> 

As Tanner already suggested, you don't need two certificates most
likely, assuming the hostname is the same from the outside.  One
certificate set to that host name should work fine.  You'll just do the
set up on one of the boxes, and copy over everything to the other
machine.

Another thing to think about is if the Cisco Local Director can support
SSL on that box itself. I don't know much about this particular
equipment, but I understand that some load-balancing hardware can host
the SSL certificate on the balancer itself, and then forward the HTTP
requests on to the internal machines.  (In this sense it is acting as a
reverse proxy server of sorts.)  This off-loads the SSL processing from
your machines, allowing them to spend more CPU cycles on the actual
application.  The machines just see "normal" port 80 requests in this
case.

Perhaps not what you intend to do, but it's worth considering.

Jeremy

-- 
/---------------------------------------------------------------------\
| Jeremy Portzer        jeremyp at pobox.com      trilug.org/~jeremy     |
| GPG Fingerprint: 712D 77C7 AB2D 2130 989F  E135 6F9F F7BC CC1A 7B92 |
\---------------------------------------------------------------------/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://www.trilug.org/pipermail/trilug/attachments/20041022/851c74d7/attachment.pgp>


More information about the TriLUG mailing list