Copy SSL certs between hosts

TSG

1/5/24, 9:04 PM

I have 2 hosts (h1 and h2) where h2 takes over services if h1 fails. The hostnames are unique, they have different MAC addresses, and each has one unique IP and one shared IP (moved between hosts on failover).

Is it possible to share SSL certificates between the hosts? That way up/downstream devices that look for TLS protected services think they are connecting to the same host as before (pre-failover)?

Or is there something in these certificates that's tied to the hardware and will refuse to operate properly if they are moved to a new host?

1 + 1

ssl

ssl-certificate

Steffen Ullrich

1/6/24, 5:50 AM

Does this answer your question? [SSL certificates - can they be used on more than one server](https://serverfault.com/questions/764891/ssl-certificates-can-they-be-used-on-more-than-one-server), [Using an SSL certificate in multiple locations](https://serverfault.com/questions/495771/using-an-ssl-certificate-in-multiple-locations).

Score:2

Server

vidarlo

1/5/24, 9:30 PM

Yes, you can copy the certificates and private keys. They're plain files, not bound to any hardware.

If you copy them, you should take care that you transmit them only in encrypted form, and take care to ensure that they're not accessible to unwanted third parties.

Another alternative is to issue different - but valid - certificates for each host. Nothing stops you from requesting duplicate certificates from e..g. Lets Encrypt.

+ 4

mfinni

1/5/24, 9:40 PM

To add on to this - the servers will need to have the private key that goes with the cert, ensure that whatever process you're using does that.

TSG

1/6/24, 12:42 AM

I believe that /etc/ssl/certs and /etc/ssl/private hold the certificates for the machine. But where is the private key for the machine? (User certs are in ~/.ssh I believe)

dave_thompson_085

1/6/24, 3:29 AM

nit: unless you use HSM(s) which is not very common for SSL/TLS though it is often possible. @TSG: different OSes and server programs and configurations can use many different files for cert&key, but something named /etc/ssl/private is _probably_ privatekey(s). ~/.ssh is only used for SSH which is completely different and separate from SSL/TLS and normally does not use any certificates, only keys (the _privatekeys_ are similar to the keys used in SSL/TLS)

vidarlo

1/6/24, 7:03 AM

And if you're using HSM's you'pre probably aware of your design choice

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Copy SSL certs between hosts

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.