RE: [load balancing] Question about Wildcard certificates, DNS CN AME (alias) and SSL accelerators

From: Shawn Nunley (shawnIZZATnunleys.com)
Date: Tue Dec 17 2002 - 16:40:42 EST

  • Next message: Malcolm Turnbull: "Re: [load balancing] Question about Wildcard certificates, DNS CN AME (alias) and SSL accelerators"

    OK... Here we go again... Let's be very clear on this.

    1) Every server that is performing SSL needs its own unique certificate.
    If you want users to be able to speak SSL directly to that server, they
    will need to see a valid certificate on that server from a valid signing
    authority like Verisign. You cannot use the same certificate (legally)
    on more than one active SSL server.

    2) If your SSL is terminated at an SSL accelerator, and the servers are
    speaking HTTP (not HTTPS) to the accelerator, there is no reason,
    whatsoever, to need certificates on the servers. The only place you
    need a certificate, in this case, is on the accelerator(s). Again, you
    cannot use the same certificate on more than one device at a time
    (legally.)

    3) If your SSL accelerator is capable of backend-encryption (SSL between
    the server and the accelerator) you do need certificates on the servers,
    but you may not necessarily need publicly verifiable certificates like
    you get from Verisign.

    So,

    4) If your SSL accelerator can use private certificates for the backend
    portion, you do not need to buy publicly verifiable certificates for the
    servers. The certificate that faces the user (the one on the SSL
    accelerator) does need to be a valid certificate from a publicly known
    signing authority like Verisign.

    So, it is definitely possible to use one (and only one) Verisign
    certificate for a domain as long as that certificate is only actually in
    use on one device. The fact that it is encrypting traffic that
    originated at one or many servers is completely irrelevant.

    If you are dealing with an ISP, their network architecture may mandate
    the use of a separate valid certificate on every server if they do not
    employ an SSL accelerator that can aggregate SSL termination.

    Is that clear now?

    -Shawn

    -----Original Message-----
    From: owner-lb-lIZZATvegan.net [mailto:owner-lb-lIZZATvegan.net] On Behalf Of
    Hamish Marson
    Sent: Tuesday, December 17, 2002 9:59 AM
    To: lb-lIZZATvegan.net
    Subject: Re: [load balancing] Question about Wildcard certificates, DNS
    CN AME (alias) and SSL accelerators

    Daniel Peterson wrote:

    >Good Day,
    >
    >
    >If you are using an SSL accelerator you only need to
    >buy certs for the Accelerators. The ssl accelerators
    >are the only devices that will have the certificates
    >installed. They are also the only devices that will
    >be doing encryption and decryption.
    >
    >This was discussed in more detail a few months back
    >
    >Dan
    >
    >
    And unfortunatly doesn't appear to be correct. Even when performing SSL
    offload, BT Trustwise and Verisign insist that you have a license for
    EVERY web server behind the SSL accelerator. We have it in writing from
    them.

    H

    -- 
    

    I don't suffer from Insanity... | Linux User #16396 I enjoy every minute of it... | | http://www.travellingkiwi.com/ |

    ____________________ The Load Balancing Mailing List Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l Archive: http://vegan.net/lb/archive LBDigest: http://lbdigest.com MRTG with SLB: http://vegan.net/MRTG Hosted by: http://www.tokkisystems.com


    ____________________ The Load Balancing Mailing List Unsubscribe: mailto:majordomoIZZATvegan.net?body=unsubscribe%20lb-l Archive: http://vegan.net/lb/archive LBDigest: http://lbdigest.com MRTG with SLB: http://vegan.net/MRTG Hosted by: http://www.tokkisystems.com



    This archive was generated by hypermail 2.1.4 : Tue Dec 17 2002 - 16:48:12 EST