From: Shawn Nunley (shawnIZZATnunleys.com)
Date: Tue Dec 17 2002 - 16:40:42 EST
OK... Here we go again... Let's be very clear on this.
1) Every server that is performing SSL needs its own unique certificate.
If you want users to be able to speak SSL directly to that server, they
will need to see a valid certificate on that server from a valid signing
authority like Verisign. You cannot use the same certificate (legally)
on more than one active SSL server.
2) If your SSL is terminated at an SSL accelerator, and the servers are
speaking HTTP (not HTTPS) to the accelerator, there is no reason,
whatsoever, to need certificates on the servers. The only place you
need a certificate, in this case, is on the accelerator(s). Again, you
cannot use the same certificate on more than one device at a time
(legally.)
3) If your SSL accelerator is capable of backend-encryption (SSL between
the server and the accelerator) you do need certificates on the servers,
but you may not necessarily need publicly verifiable certificates like
you get from Verisign.
So,
4) If your SSL accelerator can use private certificates for the backend
portion, you do not need to buy publicly verifiable certificates for the
servers. The certificate that faces the user (the one on the SSL
accelerator) does need to be a valid certificate from a publicly known
signing authority like Verisign.
So, it is definitely possible to use one (and only one) Verisign
certificate for a domain as long as that certificate is only actually in
use on one device. The fact that it is encrypting traffic that
originated at one or many servers is completely irrelevant.
If you are dealing with an ISP, their network architecture may mandate
the use of a separate valid certificate on every server if they do not
employ an SSL accelerator that can aggregate SSL termination.
Is that clear now?
-Shawn
-----Original Message-----
From: owner-lb-lIZZATvegan.net [mailto:owner-lb-lIZZATvegan.net] On Behalf Of
Hamish Marson
Sent: Tuesday, December 17, 2002 9:59 AM
To: lb-lIZZATvegan.net
Subject: Re: [load balancing] Question about Wildcard certificates, DNS
CN AME (alias) and SSL accelerators
Daniel Peterson wrote:
>Good Day,
>
>
>If you are using an SSL accelerator you only need to
>buy certs for the Accelerators. The ssl accelerators
>are the only devices that will have the certificates
>installed. They are also the only devices that will
>be doing encryption and decryption.
>
>This was discussed in more detail a few months back
>
>Dan
>
>
And unfortunatly doesn't appear to be correct. Even when performing SSL
offload, BT Trustwise and Verisign insist that you have a license for
EVERY web server behind the SSL accelerator. We have it in writing from
them.
H
--I don't suffer from Insanity... | Linux User #16396 I enjoy every minute of it... | | http://www.travellingkiwi.com/ |
____________________ The Load Balancing Mailing List Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l Archive: http://vegan.net/lb/archive LBDigest: http://lbdigest.com MRTG with SLB: http://vegan.net/MRTG Hosted by: http://www.tokkisystems.com
____________________ The Load Balancing Mailing List Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l Archive: http://vegan.net/lb/archive LBDigest: http://lbdigest.com MRTG with SLB: http://vegan.net/MRTG Hosted by: http://www.tokkisystems.com
This archive was generated by hypermail 2.1.4 : Tue Dec 17 2002 - 16:48:12 EST