Sunday, January 23, 2011

CSR, SSL and load balancers?

Hi folks,

do I need to generate a CSR on the load balancer or on the individual servers?

  • Depends on whether you'll be terminating SSL on the load balancer or web servers...

    In general, if your load balancer can handle it, then better to do it all there and take the load off the web servers. Also it allows quicker deployment of new servers as it's one less step to worry about.

    Having said that, once you have your private key and ssl cert from the provider, you can back these up and use them wherever you like (on LBs or servers), so you won't be tied to one method or the other permanently.

    Warner : What? They're asking about the certificate request.
    Robbo : Yes, and I added some relevant thoughts around using load balancers for SSL termination and finished by saying what you did.
    Warner : I didn't down-vote you, I rarely down-vote. CSR != CRT. See: http://en.wikipedia.org/wiki/Certificate_signing_request
    From Robbo
  • You can generate the CSR anywhere. The certificate generated will need to be in a format that the device using it can utilize. Typically, that will be PEM.

    From Warner
  • CSR is a bunch info (like DN, expiration dates, CommonName) in addition to Public Key. Download openssl library and do the tricks mentioned here.

    http://www.rapidssl.com/ssl-certificate-support/generate-csr/apache_mod_ssl.htm

    Once ya get the cert, make sure you copy the private key, cert, along with the CA cert (or create a chain cert), since custom applicatins don't often update their root certs.

    From RainDoctor

0 comments:

Post a Comment