CSS with SSL module - how many certs do we need

a.gesse · ‎04-13-2006

Hello,

currently moving from server-based certs to CSS/SSL based.

We have two sites, two CSS/SSL on each in ASR mode.

There are two real servers behind each SSL rule for load balancing.

The question becomes how many certificates do we need

for such design ?

For sure we need one per site, then on each site we have Active/Standby CSS's.

Do we need separate certificate for each CSS?

I dont think so, cause only one is active at the time.

I tested it with same certificate on both CSS's on one site, no problem.

The question is will it be ok for production ?

So total number would be 2 cert for such design (one per VIP) if we have one SSL rule per site, and 4 if we have 2 SSL rule per site - is it ok ?

Thank you,

Alex

Gilles Dufour · ‎04-14-2006

the certificate is linked to a host name ie: www.mycompany.com.

So, if you have 4 css, all handling traffic for www.mycompany.com, then they can all share the same certificate.

Even if you have the 4 CSS split over 2 sites, using different vip, as long as they handle the same hostname, then they can share the certificate.

Actually, the CSS itself does not care about hostname/certificate mapping.

The CSS will use whatever certificate you configure it to use.

However, browsers make a check url <-> certificate and if there is a mismatch, they pop up an error message.

Regards,

Gilles.