I want to establish SSL connectivity between 2 servers, and I understood that I need to install the SSL certificate of server A into server B's Java keystore and vice-versa. So, that server A can call HTTPS URL of server B and vice-versa.
But below are questions for which I couldn't find answers:
- If server A wants to call HTTPS URL of server B, then is it necessary to install the SSL certificate of server B or if server B's certificate's signing CA certificate is present in my Java keystore then no need to install server B's certificate? I think finally signing CA's certificate is checked if it is present in my keystore then all well.
- I have infastructure configuration like this – LB -> Apache -> WL. Now, suppose SSL termination is happening at Apache, and then Apache is reverse proxy'ing to Weblogic, now it is calling HTTPS URL of WL. I know that I can specify Apache's SSL certificate using SSLCertificateFile directive but how would SSL certificate of WL will be validated at Apache's end because Apache doesn't have any keystore like Java keystore.
Best Answer
If server A calls server B, then server B's certificate should be either
I assume we are talking about communication between your own machines, and not client browsers you don't control.
If you have hundreds of machines you may find some advantages to using an intermediate certificate, if not just distribute your own CA certificate to your keystores. This lets you change certificates without having to modify the keystores on all the clients.
As for your second question, if you really want to use ssl between your reverse proxy and your WL back-end, look at Apache ProxyPassReverse and https for general syntax and https://httpd.apache.org/docs/current/mod/mod_ssl.html#SSLProxyCACertificateFile for specifying the CAs that the proxy will consider from its upstream.