Hi all, We are building new website and the site will server both SSL and nonSSL pages. We have two webservers and we have a an hardware load balancer to route the traffic to one of the web server. The site is www.xyz.com, and the two web server's hostnames are say A and B. Now, I am wondering on which CN I have to take SSL certificate? www.xyz.com or A.xyz.com and B.xyz.com, If it is www.xyz.com , can I take only ONE certificate and use it on both? regards, Rajidhar Etta eComServer Inc. 609.951.8500 (x 192) 609.203.3697 (Cell) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mads Toftum Sent: Wednesday, August 22, 2001 5:03 PM To: [EMAIL PROTECTED] Subject: Re: newbie question about SSL certificates and hostname On Wed, Aug 22, 2001 at 10:57:12AM -0700, Kory Hamzeh wrote: > > Meanwhile, we're bringing up a new site on a new machine that is going to be > running SSL. I'll call this machine store.domain.com. Once we get > store.domain.com fully functional, we'll bring down www.domain.com and make > store.domain.com available. The problem is that when I apply for a > certificate for the new machine, I have to give it a FQDN as the Command > Name. If I use www.domain.com, we can't do any testing before hand. If I use > store.domain.com, I can't rename the host to www.domain.com. Get a certificate for www.domain.com - as long as you're testing with this cert on store.domain.com browsers will complain about a server name mismatch and mod_ssl will warn you - alternatively you could just create your own test cert for store.domain.com ... use: make certificate TYPE=custom when installing mod_ssl or see the FAQ list about certificates: http://www.modssl.org/docs/2.8/ssl_faq.html > > The only way around this, I think, it to leave store.domain.com as is, and > when we bring down www.domain.com, add a CNAME to the DNS record to map > www.domain.com to store.domain.com. Is this a correct way of doing this? > Will this result in any problems down the road. > This is not really a great idea with cnames and certs - with two different names for the same ip, then at lest one of them won't match the FQDN in your cert. vh Mads Toftum -- With a rubber duck, one's never alone. -- "The Hitchhiker's Guide to the Galaxy" ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
