SSL certificates – can they be used on more than one server

ssl

I have many websites all scattered on different IIS servers but they all accessible via sitename.example.co.uk. i.e. site1.example.co.uk

Btw this is only an example so I can get to grips with SSL certificates hence they're all self-signed via the following process

Create my own CA
Generate key and csr
then generate signed certificate

http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/

The resultant certificate of step 3 is assigned to *.example.co.uk. Can that be used on multiple servers, or do I have create a new certificate + key for each server despite them matching the domain on the certificate?

Best Answer

The certificate is a third-party-signed public key, and can be used by anyone with the corresponding private key. So as long as you give each server the matching private key, it can use the certificate.

But if you're making your own CA, why bother? You can mint certificates for each server and they will be no less (nor any more) trusted than the one private-CA-signed certificate you're proposing to use everywhere, and you'll have less of a problem with keeping a single private key secure through distribution to, and use on, many endpoints.

Related Solutions

Ssl – XCA Signing Problem

You need to create a CA certificate and use it for signing the CSR. The private key of the CSR remains on the Sun Webserver.

MySQL Connection Issue – Can’t Connect Using Self-Signed SSL

Yes, you are correct that if you don't specify --ssl-ca then the client does not check the server certificate at all. Since it works without that option the most likely reason for the failure is that the client doesn't trust the server certificate.

If you are using self-signed client and server certificates then the ca.cert file should include both these files. That way the client will trust the server certificate and the server will trust the client certificate.

For example:
Generate the server key and certificate:

$ openssl req -x509 -newkey rsa:1024 \
         -keyout server-key-enc.pem -out server-cert.pem \
         -subj '/DC=com/DC=example/CN=server' -passout pass:qwerty

$ openssl rsa -in server-key-enc.pem -out server-key.pem \
         -passin pass:qwerty -passout pass:

Generate the client key and certificate:

$ openssl req -x509 -newkey rsa:1024 \
         -keyout client-key-enc.pem -out client-cert.pem \
         -subj '/DC=com/DC=example/CN=client' -passout pass:qwerty

$ openssl rsa -in client-key-enc.pem -out client-key.pem \
         -passin pass:qwerty -passout pass:

Combine the client and server certificates into the CA certificates file:

$ cat server-cert.pem client-cert.pem > ca.pem

Best Answer

Related Solutions

Ssl – XCA Signing Problem

MySQL Connection Issue – Can’t Connect Using Self-Signed SSL

Related Topic