CSR, SSL and load balancers?

Question

do I need to generate a CSR on the load balancer or on the individual servers?

score 4 · Accepted Answer · answered May 18 '10 at 13:43

4

You can generate the CSR anywhere. The certificate generated will need to be in a format that the device using it can utilize. Typically, that will be PEM.

answered May 18 '10 at 13:43

Warner

23,756
2
59
69

score 1 · Answer 2 · answered May 19 '10 at 06:08

CSR is a bunch info (like DN, expiration dates, CommonName) in addition to Public Key. Download openssl library and do the tricks mentioned here.

http://www.rapidssl.com/ssl-certificate-support/generate-csr/apache_mod_ssl.htm

Once ya get the cert, make sure you copy the private key, cert, along with the CA cert (or create a chain cert), since custom applicatins don't often update their root certs.

score 0 · Answer 3 · answered May 18 '10 at 11:42

0

Depends on whether you'll be terminating SSL on the load balancer or web servers...

In general, if your load balancer can handle it, then better to do it all there and take the load off the web servers. Also it allows quicker deployment of new servers as it's one less step to worry about.

Having said that, once you have your private key and ssl cert from the provider, you can back these up and use them wherever you like (on LBs or servers), so you won't be tied to one method or the other permanently.

answered May 18 '10 at 11:42

Robbo

69
3

What? They're asking about the certificate request. – Warner May 18 '10 at 13:42
Yes, and I added some relevant thoughts around using load balancers for SSL termination and finished by saying what you did. – Robbo May 18 '10 at 15:59
I didn't down-vote you, I rarely down-vote. CSR != CRT. See: http://en.wikipedia.org/wiki/Certificate_signing_request – Warner May 18 '10 at 16:09

CSR, SSL and load balancers?

3 Answers3