Migrating some Tomcat/Apache applications from Mac OS X to Linux (RHEL 6), and was wondering what the best practices are for using the existing SSL certs. This migration is not a one to one, meaning previously I may have had mac-server1 running
https://mac-server1.organd mac-server2 runninghttps://mac-server2.org, but now I will have Linux-server1 in a load-balanced pair (using a Citrix Netscaler) with Linux-server2 andhttps://mac-server1.org&https://mac-server2.orgwill be running on both Linux boxes.Should all the SSL termination be handled at the load balancer to simplify this? What if I wanted to install the certs directly to both Linux boxes, how do I avoid having a CN/name mismatch? Would I need multiple NICs with a different IP for each?
How does an SSL certificate verify that the CN on the cert matches the hostname of the server it resides on? Does it use DNS, or some underlying system call/library function?
Answer
- Depends on your security requirements. Doing it at the load balancer level surely simplifies things. Reduced CPU usage on the servers.. fewer places to update expired certificates.
- The cert’s CN and the hostname and IPs have no bearing on any mismatch. The client makes that determination, not the server.
- No you would not need multiple NICs and different IPs.
- SSL certificates don’t verify the CN with the hostname. The only verification that happens is that your key can decrypt the signed certificate. If it can’t, then obviously it can’t pass the certificate on to clients.
- It uses none of those, the client (web browser) does that.
Attribution
Source : Link , Question Author : usedTobeaMember , Answer Author : Community
