VeriSign Recommendations for Implementing SSL on Multiple Servers

written by: Dave O`Brien; article published: year 2006, month 08;


In: Root » Internet » Web design and development » VeriSign Recommendations for Implementing SSL on Multiple Servers

Dutch French Spanish Portuguese Italian German Japanese Chinese Korean Russian Arabic Bookmark and Share this Article

Let’s look at some common shared certificate configurations for an e-commerce trust infrastructure:

Fail-safe backup: Redundant servers, not used simultaneously.

Load balancing: Multiple sites with different common names on multiple servers.

Load balancing: Multiple sites with the same common name on multiple servers.

ISP shared SSL: One certificate issued to an ISP’s domain, used on multiple servers by multiple Web sites.

Name-based virtual hosting: An ISP or Web Host provides each hosted customer with a unique domain name, such as customername.isp.com[1].

Fail-Safe Backup

Certificate sharing is permissible. However, when the backup server is not under the same control as the primary server, the private key cannot be adequately protected, and a separate certificate should be used for each server.

Load Balancing: Multiple Sites with Different Common Names

To prevent browsers from detecting that the URL of the site visited differs from the common name in the certificate, a different certificate should be used for each server/domain name combination. A different certificate should also be used to protect the security of private keys.

Load Balancing: Multiple Sites with the Same Common Name

Instead of jeopardizing private key functionality by copying the key for multiple servers, a different certificate should be used for each server. Each certificate may have the same common name and organizational name, but slightly different organizational unit values.

ISP Shared SSL

ISP shared SSL prevents site visitors from verifying that the site they are visiting is the same as the site protected by the certificate and listed in the certificate itself. Each site’s server should have its own certificate. Or, merchants must inform their customers that site encryption is provided by the ISP, not the merchant, and the ISP must guarantee the services of all the hosted companies whose sites use shared SSL.

Name-Based Virtual Hosting

If the same certificate is used for each domain name, browsers will indicate that the site domain name does not match the common name in the certificate. To solve this problem, a “wildcard” certificate of the form *.isp.com is required to properly serve the multi-hostname configuration without creating browser mismatch error messages.

Disclaimer

1) E-articles is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringement, please read the terms of service and contact us to investigate the problem.
2) E-articles is not responsible for inaccuracies, falsehoods, or any other types of misinformation this article may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here.

link to this article