Manage SSL certificate across multiple servers

[blondebier]

Hi Guys,

We run a network in a datacenter to host some of our software.

Currently we have a ssl certificate that is installed on a web server and this works ok.

Maintenance and updates are a bit of a nightmare though and this prevents us from running a 24 hour operation.

We now have the need to run the service 24/7 all year round and taking this server offline is not an option for us.

How do people manage the same SSL certificate across multiple servers? Ideally we'd like to run 2 identical servers in parallel and then just flick between the 2 as updates/maintenance are required.

This leads me to think that maybe the SSL certificate should be in a "layer" above the web servers. Is this possible? Is there a network device/switch/router that would allow use to manage our ssl certificate(s), as we have multiple domains, and not have them installed on the servers themselves?

We could then route traffic to whichever server was currently in service.

Is this possible? Any suggestions?

Cheers,
Blondebier

 

[sleipnir214]

Since a SSL certificate is tied to a domain name, not an IP address, there is no technical reason why you can't use one cert on multiple machines. The actual installation varies by web server vendor, but it will involve copying both the originally-generated private key and the signed public key both to the second server.

However, by doing so you could run afoul of your signing authority's terms of use. For example, Verisign does not allow their least expensive certs to be used that way -- they require you to pay for a multi-server cert.


Want to ask the best questions? Read Eric S. Raymond's essay "How To Ask Questions The Smart Way". TANSTAAFL!