Layer7 API Management

Expand all | Collapse all

how to present one cert chain to the world - ok folks my tiny brain is having trouble with multiple data centers and hardware appliance

  • 1.  how to present one cert chain to the world - ok folks my tiny brain is having trouble with multiple data centers and hardware appliance

    Posted Jul 06, 2016 09:04 PM

    Tonights brainteaser ... 3 geographically seperated data centers witj ssg clusters (centres if your from the uk ?) I could have multiple private keys and multiple listen ports so i could have just one csr .? .but I ask myself  is there not  a tie in between the main ssl key and the hardware itself ... ....and if so how does everyone else pull this off ...and avoid the fact that each zone will need a seperate csr .... or not as the case may be ... im tired ... any answers welcome



  • 2.  Re: how to present one cert chain to the world - ok folks my tiny brain is having trouble with multiple data centers and hardware appliance
    Best Answer

    Broadcom Employee
    Posted Jul 06, 2016 09:28 PM

    Tom,

     

    The only time that generating keys can create an issue with sharing and moving them between clusters is when a HSM is involved with strict fips mode. This will not allow the keys to be exported/imported through the Policy Manager so key data needs to manually moved between clusters. When a HSM is not involved, then creating a key on one cluster then creating a csr to be used to signed by a CA either internal or through a provider (Entrust, Verisign, etc) to then update the certificate chain is straight forward through the Manage Private Key menu option. Once the key, chain, and certificate have been combined then the bundle can be exported into a p12 bundle using Export Key button on the properties page of the private key in the Manage Private Keys. This p12 file can then be imported into any cluster and linked to a listen port. The p12 bundle can be created outside the Policy Manger and import in to the cluster as well.

     

    Sincerely,

     

    Stephen Hughes

    Director, CA Support



  • 3.  Re: how to present one cert chain to the world - ok folks my tiny brain is having trouble with multiple data centers and hardware appliance

    Posted Jul 08, 2016 11:09 PM

    Thanks stephen - just an observation  i noticed last year that in a cluster setup with support  (eric) that the very first key that is created is ever removed then about two weeks later the cluster fails and when you check the logs yo geta license failure whereas if the key is kept hanging around even if its  unused then the cluster never fails ,this might be an unrelated coi-incidetal observation and indeed unttue   but i dont throw away the original key now just in case ...