Reputation: 617
The right SSL certificate at the right layer
I have a web app which requires fairly stringent security. I already have a reasonably secure solution stack, including Cloudflare, HAProxy and Modsecurity. I'm getting close to getting my Dev environment ready for testing before I build out my Staging and Production environments.
I was keen to use a Cloudflare Origin SSL cert on my Load Balancer and Web Server but I've struck an issue.
I was keen to achieve Full (Strict) crypto via Cloudflare which means Cloudflare will validate the cert on each request. So I wanted to use a Cloudflare Origin cert in order to but looks like I can use a Cloudflare origin cert on my Load Balancer only because it's designed for Cloudflare to Origin data flow only, which would leave me having to buy a cert from a CA for my Webserver(s).
That's three SSL certs to cover the three SSL termination points:
End User --> Cloudflare (via Dedicated cert)
Cloudflare --> Load Balancer
Load Balancer --> Web Server
I tried installing the Origin cert on the Web Server but it was unable to verify the validity of that cert. I've even updated OpenSSL to the latest stable release (v1.1.1b) to ensure I can prepare for TLS 1.3.
So I can only think of two possible approaches:
End User --> Cloudflare (via Dedicated cert)
Cloudflare --> Load Balancer (via Cloudflare Origin cert)
Load Balancer --> Web Server (via DigiCert cert)
or
End User --> Cloudflare (via Dedicated cert)
Cloudflare --> Load Balancer (via Digicert cert)
Load Balancer --> Web Server (via Digicert cert)
I would appreciate anyone highlighting if I've missed anything important.
Upvotes: 0
Views: 219
Answers (1)
Reputation: 94038
Certs commonly contain the web server DNS as "common name". You need to make things compatible with that; that indeed means either installing an additional trust point on your load balancer or getting a "real" certificate.
Generally your end points can use a single certificate to identify themselves. The problem is that currently you are using certificates for which no trust chain can be build at the various end points. You can of course solve this by buying a cert for which a chain can be build (e.g. from a commercial CA). You can however generally also update the trust store to include additional certificates, so that a chain of trust can be build. In that case you can use your own certificates; it is your infrastructure after all.
What you don't want to do is to use the leaf certificates on multiple machines, as that would imply that you copy the private key to more machines. The security of the machines should be separate, so if you start copying PKCS#12 files you might want to rethink your key management solution (and if you don't have an explicit KM solution then this would be the right time).
Upvotes: 1
Related Questions
- Configure NGINX + CloudFlare + SSL
- Cloudflare SSL cert throws a Security Issue
- Double encryption with Cloudflare SSL certificate + nginx letsencrypt certificate?
- Cloudfoundry: SSL cert for shared domain
- How to use Cloudflare SSL with Hostinger
- Cloudflare - Ineligible for SSL
- HTTPS certificate (SSL)
- Cloudflare SSL Page rules
- How cloudflare SSL works
- Cloud Foundry SSL with Cloud Flare