How many CA certificates are required to set up SSL with ALM and Performance Center?
Four ALM servers behind a VIP
Two Performance Center servers
Nine Controller servers
87 Load Generator servers
My company’s Certificate Authority Group said we need to create one certificate per server. Pervious tickets/discussion with MF/HP have produced different answers:
- one certificate for all servers
- one for the ALM servers & One for Performance Center servers (not hosts)
- one for ALM, one for the PC servers and another for the Hosts.
any assistance would be appreciated.
In the answer below I assume you were refering to a server / client certificates as CA certificate will probably be one.
In general PC does support the configuration of the SSL using minimal number of certificates as was suggested to you previously, however having a dedicated server / client certificate per server as required by your company is a much more secure of SSL set up and is supported by the prodcut as well.
Eyal, thank you for the answer. Just to clarify, one CA certificate for each server, including the Load Generators?
I've recieved multiple answers about certificates on the LG's.
In order to avoid confusion, I will write my reply in bullets this time
- CA is a certificate authority which signs a certificate. Let’s distinguish between the two
- I do not think the CA should be unique or dedicated for each certificate. You should probably rely on a trusted CA and sign all certificates with it. You can however use different certificates for different PC machines.
- Performance Center has multiple components/machines. Each can be configured with a dedicated certificate. For the Load Generators specifically there are nuances in case Load Generator is configured behind a firewall. I will ignore LG over FW in my reply.
- ALM server and PC server are user facing applications, hence each should have a dedicated certificate with known CA in order to avoid browser trust related errors
- Load Generators and Controllers can be configured to communicate using SSL with certificate. For the most secured configuration you should use a unique certificate for each Load Generator, but all the certificates must be signed using the same CA. You can read all information in this help page
Should you require further help please open a support ticket and refer to this post.