On Fri 11 Jul 2003 at 10:09:00, Dan Reese said:
> Multiple domain names that are load balanced across 3 machines. Sounds
> like we're stuck with a tunnel machine or purchasing 3 copies for each
> domain.
No, your really just need one cert for each domain. Use the same
per-domain private key on each machine, use round-robin DNS to serve the
same domain names from each machine, and nobody will be the wiser.
Do this:
SERVER1: example1.com : 192.168.1.1
example2.com : 192.168.1.2
example3.com : 192.168.1.3
SERVER2: example1.com : 192.168.2.1
example2.com : 192.168.2.2
example3.com : 192.168.2.3
SERVER3: example1.com : 192.168.3.1
example2.com : 192.168.3.2
example3.com : 192.168.3.3
Set up your DNS like so:
example1.com A 192.168.1.1
A 192.168.2.1
A 192.168.3.1
example2.com A 192.168.1.2
A 192.168.2.2
A 192.168.3.2
example3.com A 192.168.1.3
A 192.168.2.3
A 192.168.3.3
Generate a private key for the example1.com domain called "example1.key"
and from this make a certificate signing request "example1.req". Do the
same for example2.com and example3.com. Send the reqs to Verisign or
whatever cert service you want. When the certs come back, copy each of
them, with their associated keys, to *each* of the webservers. The cert
checking doesn't care about IP's, just hostnames. As long as each
server responds to "exampleN.com" and has a correctly matched key/cert pair,
you can use the same cert on as many machines as you want.
--
Soren Harward
[EMAIL PROTECTED]
____________________
BYU Unix Users Group
http://uug.byu.edu/
___________________________________________________________________
List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list
