Hello, On Tue, Jul 28, 2020 at 09:47:51AM +0100, Chris Bell via GLLUG wrote: > Openssl makes it easier to create my own CA and issue certificates for local > boxes with specified uses such as WWW and EMAIL, but I am not clear on the > best > approaches for multiple domains and boxes. I have dedicated individual boxes > to use as web server, email gateway, and email server, and multiple boxes for > each job to enable online backup and offline upgrades. Should individual > certificates be created for individual boxes or should the same certificate > be > shared between all boxes allocated for each individual job?
I don't think TLS concerns itself with what particular piece of hardware is involved, it's about what is terminating the TLS conversation for a given name. If the conversation for foo.example.com could end up at any one of several hosts then all hosts need the same TLS key material. If you're terminating the conversation on a single load balancer with 20 hosts behind it but you're not talking TLS between the load balancer and the hosts, then only the load balancer needs the key material. If you have an active/passive pair of load balancers to provide redundancy then both need the key material. And so on. I create them with Let's Encrypt and have config management renew them and push them out to where they need to be, so it doesn't really matter how many there are. If you had a web site on https://example.com/ I don't think you would be wanting to call your mail server also example.com, so the question of whether to share the key material doesn't arise. But let's say for argument's sake that your mail server calls itself mail.example.com and you also have webmail on https://mail.example.com/. Should those two things share the same key material? With config management it is almost as easy to have them have unique key material as it is to have them share. For long-lived keys there is an argument to have them be separate so as to have fewer copies that could be mislaid, but in the Let's Encrypt age the certs are renewed every three months so that is less of a concern. Also whether to use a single wildcard cert for everything under example.com. With frequent renewal I think you could argue either way. I'd be more concerned about automation and only then think about whether to use one or many or wildcard certs for the same name. If the names are not valid outside your local network (e.g. you expect users to connect to private DNS names like https://admin.mycorp/) then you can't use Let's Encrypt and have to do your own CA, which does make things a lot more of a faff. I tend to argue for things being in the public DNS for this reason, as at least then you can do ACME DNS-01. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting -- GLLUG mailing list GLLUG@mailman.lug.org.uk https://mailman.lug.org.uk/mailman/listinfo/gllug