I've just setup a client for using his own CA and wrote out the specs in a how-to like fashion. If you want, I'll be happy to share them (with the client specifics removed).
If you are doing DNS round-robin then that is going to be the best way of doing SSL - unless you simply use a separate host name for the SSL and only have it done on one server. When I set this up for a former employer, I used the LVS to front-end for several back-end servers, including servers running SSL. The front-end was all one IP Address so we only needed one cert, and then we put that cert on each of the back-end boxes. That was years ago and it's still up and running without any problems. The nice thing about using the LVS was that you could maintain state (the end-user would end up at the same back-end server as long as they made a request before a specific time-out period), but if the server went down, they were transparently shuttled to a new server. I don't think you get that with a DNS-round-robin; but it is a simpler setup. Jon On Wed, 2003-09-03 at 13:56, Joseph Tate wrote: > ryan wheaton wrote: > > > It's only maybe OT cause I'm using apache on linux servers :-) > > > > but... i'm new to SSL certificates, and was wondering if there was a > > way to get a site wide SSL certificate instead of having one per > > machine. We're going to have a web server environment with multiple > > servers behind a load balancer, and we don't want our customers to > > have to accept a certificate 4 or 5 times depending on which machine > > they hit on that particular occasion. > > i was thinking that I could just do a DNS round robin set up as a > > "load balancer" so that the user hit the same machine every time they > > goto the site, that way we can have one certificate per machine and > > our users will only have to accept it once. > > any idears on this? > > > > -ryan > > > I think that's the way to go. There is such a thing as a wild card > certificate, but they're still sold on a per machine basis. If you're > not going to go through Verisign or Thawte or Geotrust or any of the > other certifiers, you could sign all your keys using a self signed CA > certificate, and have all your users import that CA certificate. I.e. > all my users go to http://www.dragonstrider.com/security/cacert.pem > import the CA required to trust the certificates on > https://www.dragonstrider.com as well as to use IMAPS or POP3S services > though those services use separate certificates. > > The openssl docs can help you on the exact sequence and commands required. > > Joseph -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
