SSL certs or intermediate for DMZ

Question

I've been tasked with deploying and managing load balancers covering internal servers and DMZ servers. I have no experience with this, and this is a first for my organization as well. Balancers are up, running, legit. Currently we are using a self-signed cert for Exchange/OWA. I know that we should have a cert signed by a CA, but the balancer has options for SSL cert or intermediate cert, and I'm unclear on the difference, or on which we need. We will be hosting Lync, Exchange and some custom apps in the DMZ.

disclaimer: Apologies up front, I'm desktop support. I recently passed my Net+. It seems that has made me the network engineer in this organization.

Answer 1

If I understand the question correctly, it seems that the load balancer is fronting other servers. In this case, the client would open a SSL connection to the server and as part of the SSL handshake, the load balancer would need to return its certificate and the intermediate CA certificate of certificates (if there are more than one in the hierarchy to the root CA) to the client (as part of the CERTIFICATE message) so that the client can validate/verify the load balancer's certificate and make a decision whether to trust it or not. It would be trusted by the client and the SSL handshake would proceed if the hierarchy (the certificate chain) of load balancer's certificate to the intermediate certificate to the root CA certificate is confirmed since the client trusts the root CA certificate. For a brief description on SSL: please see the TLS wiki or perhaps this white paper: http://www.symantec.com/content/en/us/enterprise/white_papers/b-wp_ecc.pdf [see the SSL section]

Answer 2

Assuming the ssl cert and intermediate cert are separate items in the configuration on the load balancer, you will always need to use the ssl cert configuration item regardless of whether you're using a self-signed certificate or a CA signed certificate. If you use a CA signed certificate, the CA will provide you with intermediate certificates, which you would add to the Intermediate certificate configuration item.