?
Solved

Basic SSL/Certificate question

Posted on 2004-08-04
2
Medium Priority
?
252 Views
Last Modified: 2010-04-11
Hi all,

Considering the following server config for a group based in Europe:
2 load balanced web servers
2 DB servers (1 live 1 backup)
2 File servers (1 live 1 backup)

Where all machines are hosted at the same ISP and will be accessed via the internet.  Some portions of the website will be free and others member only; (e.g., registration/login and web forms for users to input various data).   Data won't be financial but will be considered sensitive.

1. What is the best certificate config here?  Assuming the top level domain name is www.group.org, would I have a FQDN like secure.group.org?  In other words, users would access the site at http://www.group.org but as soon as they wanted to do any member specific stuff, (login or register, input data) should they be redirected to https://secure.group.org? 

2. Do I need certificates for all machines?

Is what I mentioned above atypical for a .org TLD?  

Thanks...


0
Comment
Question by:ara99
2 Comments
 
LVL 4

Accepted Solution

by:
syn_ack_fin earned 600 total points
ID: 11722771
1. From a naming standpoint, unless secure.group.org and www.group.org are different servers, there is no reason why you need to name the structure seperately. You can apply the cert to the site and secure individual directories via SSL. If you have a site sharing data with members and non-members alike, then most likely you will just have individual website directories protected with passwords and forced to SSL.

2. You would need a certificate for both web servers. Thoeretically, you can use the same cert for each server since they will have the same fully qualified name. Verisign wants you to purchase one for each of course. Here is a link to some info from them:
http://www.verisign.com/products-services/security-services/ssl/ssl-certificates/load-balancing.html

Good luck
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 400 total points
ID: 11729485
1. i.g it sounds more secure to have one certificate for each FQDN, but from the view of a user I'd recommend to have one cert for the whole domain group.org.
   On the other side, having the same cert for more than one server, each client should complain (warn you) if it does not match 100%. So all in all, we have a two edged sward.

2. see 1.

keep in mind that using SSL/TLS does not make your site secure. It just makes it a bit more restistant against man-in-the-middle attacks. Security must be built-in your web, application, file and database servers
0

Featured Post

Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Still wondering grappling over to strengthen your password, worry no more. Choose a Strong Passphrase instead though second factor is highly recommended. Read on more on the how-to and tips to enhance your "password" using easier to remember passphr…
2017 was a scary year for cyber security.  Hear what our security experts say that hackers have in store for us in 2018.
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

598 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question