I have software that connects two applications – one that runs on Windows Server 2008 and another that runs on Linux/CentOS. The Windows app runs within IIS and ASP.NET. The Linux/CentOS app runs within Apache and Tomcat. These are web-based apps and they need to talk to each other in a sever-to-server fashion over HTTPS.
I know that if I use a Certificate Authority (CA) for the SSL certificates, then there tends to be no problem getting this communication to work. I also know that if I use self-signed certificates – or don't use a CA – then I tend to have problems.
Is there a way to get Apache/Tomcat to trust a self-signed cert used by IIS/ASP.NET and visa-versa? What are the steps to do this?
Are there tools out there that could be used to verify that this has been set up properly? I assume that running a browser on one server and hitting the other server is not a sufficient test.
Best Answer
There is no way of setting up self-signed certificates properly, because self-signed certificates have no role in proper SSL communication.
Set up your own CA and you'll be good to go. If your Windows server doesn't already have a built-in CA, there are many documents out there about this. As a starting point, you could use the EasyRSA CA that is included with OpenVPN.