Well, certificates are bound to the absolute server name. So on a server
farm, with lots of real servers, you end up having web1.foo.com,
web2.foo.com, and each of them has it's own certificate. You can not
install the same certificate into each server because the CSR is different
for each of them. It's lame, but a sad reality of non-terminated SSL.
If ANYBODY out there knows how to get around this, I am ALL EARS! :) At
~$800 each, multiple certificates get REALLY REALLY lame, and fast. Not
only that, but they become an administrative nightmare when you have more
than three real servers.
-- Jake
> -----Original Message-----
> From: Axel Dunkel [mailto:ad@xxxxxxxxx]
> Sent: Sunday, September 03, 2000 3:45 AM
> To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Subject: RE: few questions [BigIP notes]
>
>
>
> On 3 Sep 00, at 0:00, Jacob W Anderson wrote:
> > One thing to note about using the BigIP box and SSL. BigIP supports SSL
> > termination, so that you do not have to buy a certificate for
> each web host.
> > With LVS, you have to install a certificate for each web
> server. This can
> > become VERY costly for large server farms, such as E*Trade,
> which make heavy
> > use of SSL.
>
> I see no reason why you would need to buy multiple certificates?
> You buy one certificate (for the farm address) and install it (priv.
> key plus certificate) on every maschine of the farm. Then, of
> course, the web servers also share the SSL load.
>
> Best regards,
> Axel Dunkel
>
> ---
> Systemberatung A. Dunkel GmbH, Gutenbergstr. 5, D-65830 Kriftel
> Tel.: +49-6192-9988-0, Fax: +49-6192-9988-99, E-Mail: ad@xxxxxxxxx
>
>
>
>
|