[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Load balancer and Security Certificates

To: Tim Ross <tross@calpoly.edu>
Subject: Re: Load balancer and Security Certificates
From: Steve Hillman <hillman@sfu.ca>
Date: Mon, 14 Jul 2008 10:36:23 -0700 (PDT)
Cc: zimbra-hied-admins@sfu.ca
In-reply-to: <1792094369.61865841216056768096.JavaMail.root@jaguar7.sfu.ca>

----- "Tim Ross" <tross@calpoly.edu> wrote:

> Have any of you dealt with this issue and found the magic combination
> or setting?  We are considering perhaps a virtual host on the
> mailstores that would tell the box that it should respond to
> example.calpoly.edu requests.  Another possibility was putting
> example.calpoly.edu in the "Subject Alternative Name" field on the CSR
> we generate for the Thawte cert.
> 

We faced this exact problem and after much fighting with it, decided to try out a wildcard cert from DigiCert. Works like a charm. We now have a "*.sfu.ca" cert and we just use that one cert everywhere. We have been gradually replacing some of our other expiring Thawte certs with the wildcard cert as well, and it's been working really well. At $500, it pays for itself pretty quickly, too.

I think they only OS we encountered that didn't like the cert "out of the box" is Windows Mobile. With WM6, it was fairly easy to import the cert as a trusted cert which then solved the problem

(I'm told that the digicert website contains specific info for configuring an F5 to use their wildcard certs) 

-- 
Steve Hillman                                IT Architect
hillman@sfu.ca                               IT Infrastructure
778-782-3960                                 Simon Fraser University
Sent from Zimbra

Prev by Date: Load balancer and Security Certificates
Next by Date: Re: Load balancer and Security Certificates
Previous by thread: Re: Load balancer and Security Certificates
Next by thread: Re: Load balancer and Security Certificates
Index(es):
- Date
- Thread