Re: Verisign Certs

To:	"David D.W. Downey" <david.downey@xxxxxxxx>
Subject:	Re: Verisign Certs
Cc:	Joseph Mack <mack.joseph@xxxxxxx>, Linux Virtual Server Mail List <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
From:	"Matthew S. Crocker" <matthew@xxxxxxxxxxx>
Date:	Mon, 16 Oct 2000 16:04:02 -0400 (EDT)

On Mon, 16 Oct 2000, David D.W. Downey wrote:
> We have like 40 domains all told assigned to the single VIP. I take it then
> that I would ahve to redo the DNS and LVS to assign different IPs to the
> different domains rather than feeding them all through 1? That I can
> understand.
> 
> BUT, the certificates would actually be loaded from the real servers
> comprising the cluster correct? If so, how do you assign multiple certs on a
> single machine that all feeds to the same directory but via different
> <Virtual Host> entries in the httpd.conf?

You need to setup the vs servers with 40 VIP's and setup the ws servers to
handle the same VIP's  This is the same this as normal LVS but with 40
IP's instead of one.    You will have 40 dummy interfaces on the ws
servers (interface aliases eth0:0 --> eth0:39)

Then you need to setup 40 virtual host entries in httpd.conf but setup IP
BASED not NAMED BASED.  This is very important.  You then register 40
certificates for the 40 names you plan on handling and put each
certificate in a seperate <VirtualHost> entry in httpd.conf.  Once that is
all done you take the 40 DNS names and point them to the VIP addresses and
make sure you match the IP in DNS to the IP in  httpd.conf with the name
on the certificate.

Remember,  Certificates are branded with the name of the server in them
and the certificate is sent to the client during SSL setup which is BEFORE
HTTP protocol.  named-based virtual hosting is HTTP/1.1, if you don't have
HTTP yet how can you figure out what certificate to send?

When the client gets the certficate it matches the name in the cert to the
URL it is going to. If they don't match the client will complain to the
user about potential security problems.  The SSL session is still
establish and security is still there but the normal user will get scared
when the browser complains.  It gets expensive, 40 certs at Thawte are
$4025

Hope this helps.

-Matt

-- 
----------------------------------------------------------------------
Matthew S. Crocker 
Vice President / Internet Division         Email: matthew@xxxxxxxxxxx
Crocker Communications                     Phone: (413) 587-3350
PO BOX 710                                 Fax:   (413) 587-3352
Greenfield, MA 01302-0710                  http://www.crocker.com
----------------------------------------------------------------------

<Prev in Thread]	Current Thread	[Next in Thread>
Verisign Certs, David D.W. Downey Re: Verisign Certs, Matthew S. Crocker Re: Verisign Certs, Trevor Marshall Re: Verisign Certs, Matthew S. Crocker Re: Verisign Certs, Joseph Mack Re: Verisign Certs, Matthew S. Crocker Re: Verisign Certs, David D.W. Downey Re: Verisign Certs, Matthew S. Crocker <= Re: Verisign Certs, David D.W. Downey OpenBSD & lvs, Jacob W Anderson Re: OpenBSD & lvs, Michael D. Jurney

Previous by Date:	Re: Verisign Certs, David D.W. Downey
Next by Date:	Re: Verisign Certs, David D.W. Downey
Previous by Thread:	Re: Verisign Certs, David D.W. Downey
Next by Thread:	Re: Verisign Certs, David D.W. Downey
Indexes:	[Date] [Thread] [Top] [All Lists]