Hi all,
We have multiple IS servers in our environment. We can install the same server certificate on all the servers (.xyz.com) or have separate certs (a.xyz.com,b.xyz.com etc) on each server.

What is your approach ; opinion on downside/upside of each approach.

Thanks in advance
Raj

Rajeev,

The answer is "it depends."

If you have inbound clients connecting to reverse invoke servers through a load balancer, it's useful to have them present the same cert. Some platforms check the URL against the name on the cert via a simple string compare, so an attempt to load http://a.xyz.com:5555 would fail for an xyz.com cert. So, it depends on the client platform, and how many different hostnames would be used. It's kind of a stupid check, as something as simple as using an IP instead of a hostname will cause it to fail, but it's something you might have to deal with.

Tate

Tate,
Thanks for the response. In our case there is a load balancer in front of the 3 IS. The clients are connecting to through the load balancer and not directly to the IS.

In such a case I believe 1 cert should suffice? Please comment.

Thank you,
Raj

Raj,

Usually in the structure you've outlined, the contact point will have a name like b2b.xyz.com and the IS's will have other names. In that case, a customer will post to https://b2b.xyz.com:443/ (http://https://b2b.xyz.com:443/) and you'll want each server to respond with a single cert for b2b.xyz.com.

Hope this helps,
Tate

If I have a load balancer fronting 2 IS servers in a cluster, what are the general steps if I want to use one server cert? Do I install that same cert on both ISs as well as the h/w load balancer?