0

If I have three web servers that all have the same CSR based on a domain, *.domain.com, does that mean all the servers have the same private key? I know it's a short question, but I am not sure of the SO answers I have read.

Use the same IIS RSA key on all servers

What I didn't understand because I am still learning is if they don't all have the same private key for that *.domain.com, doesn't that mean I need to generate a new key for each server? I think what is getting me is I thought you could only have the same private key for the CSR based on the math, so it would have to be the same for each server in a domain wide CSR.

I do see that if I use one key on all that if one server gets compromised, they all do, but that doesn't help me because, again, I thought they all had to have the same key on a domain wildcard CSR.

johnny
  • 641
  • 1
  • 7
  • 13

1 Answers1

1

The private key is linked to the certificate, so if you use the same certificate at different places, you also need to use the same private key.

If you want each server to have a different key, you need to generate different certificates.

Benoit Esnard
  • 13,942
  • 7
  • 65
  • 65
  • If I have one domain but ten servers, for example, then I can still have them all on the same domain just that the certificate is generated for that machine only? So I haver server1.mydomain.com and server2.domain.com...They are all able to be on the same domain, just that I am not using a wildcard domain, so no need to have the same private key? – johnny Aug 14 '19 at 11:57
  • 1
    @johnny: it's common practice to terminate the TLS connection at the load balancer level: see [TLS termination proxy on Wikipedia](https://en.wikipedia.org/wiki/TLS_termination_proxy). With that method, only the load balancer has access to the private key. – Benoit Esnard Aug 14 '19 at 12:02
  • 1
    @johnny: `They are all able to be on the same domain, just that I am not using a wildcard domain, so no need to have the same private key?` -- no, they don't need. They may have different certificates with different key pairs. – Crypt32 Aug 14 '19 at 12:56