[TriLUG] SSL Certs
John Reuning
john at metalab.unc.edu
Sat Oct 23 14:11:18 EDT 2004
There have been lots of good advice so far, but I wanted to add a few
clarifications.
While it is correct that servers responding to the same hostname don't
require multiple SSL certification, you must also have them respond on
the same IP address. SSL is transport layer and is negotiated between
web server and browser before the http exchange takes place. Thus, you
can't use something like rr dns to load balance https. The Cisco
directors should be golden. Oh, and you can't run multiple SSL
hostnames on the same IP address. Or maybe you can with an SSL
accelerator?
The second thing is that SSL certs don't so much support OS's as they do
browsers. Just make sure you get a cert whose root CA cert is shipped
with a wide range of browsers. SSL chain verification back to a trusted
root CA cert is what makes https transparent on the client's browser.
Some companies issue SSL certs that aren't supported in some browser
versions. Furthermore, the good cert companies can issue you a
limited-time demo SSL cert to test.
Another small note is that some SSL certs require intermediate CA
certs. Apache works fine with these.
Hope this helps,
-jrr
More information about the TriLUG
mailing list