Re: [uug] Name-based SSL virtual hosting

Fri, 11 Jul 2003 13:52:26 -0700

Well. It looks like they have some good reasons for doing it that way. It's kind of silly though. I'd look for a different CA.

Dan Reese wrote:

According to VeriSign and Thawte, we can't put a copy of a certificate on
a second server without paying extra for the privilege. I know that it
doesn't matter technically, but the licensing prevents us from doing it. Am I incorrect in this?
--Dan


On Fri, 11 Jul 2003 12:23:24 -0600, "Soren Harward" <[EMAIL PROTECTED]> said:

On Fri 11 Jul 2003 at 10:09:00, Dan Reese said:

Multiple domain names that are load balanced across 3 machines.  Sounds
like we're stuck with a tunnel machine or purchasing 3 copies for each
domain.


No, your really just need one cert for each domain.  Use the same
per-domain private key on each machine, use round-robin DNS to serve the
same domain names from each machine, and nobody will be the wiser.

Do this:

SERVER1: example1.com : 192.168.1.1
        example2.com : 192.168.1.2
        example3.com : 192.168.1.3

SERVER2: example1.com : 192.168.2.1
        example2.com : 192.168.2.2
        example3.com : 192.168.2.3

SERVER3: example1.com : 192.168.3.1
        example2.com : 192.168.3.2
        example3.com : 192.168.3.3

Set up your DNS like so:

example1.com A 192.168.1.1
            A 192.168.2.1
            A 192.168.3.1

example2.com A 192.168.1.2
            A 192.168.2.2
            A 192.168.3.2

example3.com A 192.168.1.3
            A 192.168.2.3
            A 192.168.3.3

Generate a private key for the example1.com domain called "example1.key"
and from this make a certificate signing request "example1.req".  Do the
same for example2.com and example3.com.  Send the reqs to Verisign or
whatever cert service you want.  When the certs come back, copy each of
them, with their associated keys, to *each* of the webservers.  The cert
checking doesn't care about IP's, just hostnames.  As long as each
server responds to "exampleN.com" and has a correctly matched key/cert
pair,
you can use the same cert on as many machines as you want.

--
Soren Harward
[EMAIL PROTECTED]

____________________
BYU Unix Users Group http://uug.byu.edu/ ___________________________________________________________________
List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list



____________________
BYU Unix Users Group http://uug.byu.edu/ ___________________________________________________________________
List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

____________________
BYU Unix Users Group 
http://uug.byu.edu/ 
___________________________________________________________________
List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list

Reply via email to