LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: Favorite cert authority?

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx, zmully@xxxxxxxxxxxxxx
Subject: Re: Favorite cert authority?
From: Joseph Mack <mack.joseph@xxxxxxx>
Date: Mon, 26 Aug 2002 14:22:41 -0400
Zachariah Mully wrote:
> 

> Thanks Joe, this is unfortunately exactly what I expected to hear. And
> yes, the omnious warning will definitely confuse and scare our brain
> dead users.

They aren't really brain dead. They just don't understand what's going on
and quite reasonably in that situation they are worried about their credit card 
number and what's going to happen to it. They have a right to know that
their connection isn't being rerouted to some other entity and this
fear is how Verisign is making their money.

I've just had an offline exchange with someone who self signs and send the 
client
a pop-up explaining the situation. This appears to be for inhouse stuff.
I don't know if this is going to work in the general case - 
I expect that you'll get a different reception if you are the Bank of London
and if you are selling dubious services. You could try it initially and log 
the connections that don't follow through after getting the educational 
pop-up to see how much people are scared off.
 
> As someone pointed out, one cert should work fine for many NAT'ed
> servers, anyone know if my DR config would change that?

The certificate is for a domainname. All realservers think they are running
that domainname. For LVS-DR they all have the same IP (the VIP). For LVS-NAT
they all have different IPs (the various RIPs) in which case you have to have
a different /etc/hosts file for each realserver (see the HOWTO). In all cases
the machines have the same domainname and can run the same certificate. 
(Hmm, it's been a while, I can't remember whether the RootCA asks you for your 
IP
or not, so I don't remember if the IP is part of the cert). I can't imagine
how Verisign is ever going to tell that you have multiple machines using the 
same
cert. Perhaps you could NFS export the one copy of the cert to all realservers.

Joe

-- 
Joseph Mack PhD, Senior Systems Engineer, Lockheed Martin
contractor to the National Environmental Supercomputer Center, 
mailto:mack.joseph@xxxxxxx ph# 919-541-0007, RTP, NC, USA


<Prev in Thread] Current Thread [Next in Thread>