Load balanced HTTPS servers ... single or multiple server certificates?

I have multiple servers running httpd, and they have a common inbound
NAT'd address, but of course different internal / private IP addresses.

If I were to serve web documents via https, can I just generate a snigle
certificate request and apply the single certificate that I would
receive ( say from Verisign ) to multiple hosts ?

Or assuming I made individual certificate requests from each host, and
received 2 certificates ... and then one of the hosts were replaced by a
new machine ... can I "copy" the server certificate from the the machine
that went down to the new replacement ?

noone wrote:
> I have multiple servers running httpd, and they have a common inbound

> NAT'd address, but of course different internal / private IP
addresses.
>
> If I were to serve web documents via https, can I just generate a
snigle
> certificate request and apply the single certificate that I would
> receive ( say from Verisign ) to multiple hosts ?

SSL certs are issued to fully qualified domain names, say
www.mysite.com. The cert would not be valid for any other FQDN, even
subdimains of www.mysite.com. There exist "wildcard" certs that allow
you to use a cert within subdomains of particular domain, i.e.
*.mysite.com. For your situation, however, only 1 cert will be needed,
since your webservers are referenced by the same FQDN (the domain name
of your gateway, or whatever the domain name of your site happens to
be).

> Or assuming I made individual certificate requests from each host,
and
> received 2 certificates ... and then one of the hosts were replaced
by a
> new machine ... can I "copy" the server certificate from the the
machine
> that went down to the new replacement ?

Yes, you can transfer the cert to another box, assuming the new box has
the same FQDN as the old one.

-dave

> SSL certs are issued to fully qualified domain names, say
> www.mysite.com. The cert would not be valid for any other FQDN, even
> subdimains of www.mysite.com. There exist "wildcard" certs that allow
> you to use a cert within subdomains of particular domain, i.e.
> *.mysite.com. For your situation, however, only 1 cert will be needed,

What "big name" (who's ca cert ships with most browsers) cert providers can
you recommend that sell wildcard certs?

Thanks!

dave windsor wrote:
> noone wrote:
>
>>I have multiple servers running httpd, and they have a common inbound
>
>
>>NAT'd address, but of course different internal / private IP
>
> addresses.
>
>>If I were to serve web documents via https, can I just generate a
>
> snigle
>
>>certificate request and apply the single certificate that I would
>>receive ( say from Verisign ) to multiple hosts ?
>
>
> SSL certs are issued to fully qualified domain names, say
> www.mysite.com. The cert would not be valid for any other FQDN, even
> subdimains of www.mysite.com. There exist "wildcard" certs that allow
> you to use a cert within subdomains of particular domain, i.e.
> *.mysite.com. For your situation, however, only 1 cert will be needed,
> since your webservers are referenced by the same FQDN (the domain name
> of your gateway, or whatever the domain name of your site happens to
> be).
>

Ah! ... yet Verisign told me that I need to buy 2 certificates ... and
so we did and for a time now have 2 certificates with the same public
FQDN. Each was generated by different certificat requests, generated
from each host. I'll give it a try.