[Users] SSL in cloned VEs

Gregor at HostGIS gregor at hostgis.com
Thu Jul 9 16:36:37 EDT 2009


> How does it work with VEs. If I install it on the VE before 
> cloning, will it work on the clone directly or will i need to reissue 
> certificate for each clone.

An invalid SSL certificate, even a self-signed or expired one, will 
still "work" as far as encrypting data. If you're talking internal use, 
and don't care about browser complaints, the SSL security is just fine 
even with an invalid certificate or non-matching hostname.

The concern is the browser complaining when the hostname doesn't match 
up, e.g. a certificate for https://clone-master.whatever.com/ is being 
presented by https://clone1.whatever.com/ so the browser will raise the 
"Invalid certificate" complaint. Your browser may let you "just accept 
it" but that may not be appropriate depending on your customers/users.

If you are concerned about the certificates being valid, or at least 
having the right hostname, it's best to generate them inside the VPS. 
Technically, you don't even need the container running: you can chroot 
and call openssl with appropriate arguments.

-- 
HostGIS, Open Source solutions for the global GIS community
Greg Allensworth - SysAdmin, Programmer, GIS Person, Security
Network+   Server+   A+   Security+


More information about the Users mailing list