Can we use the same certificate for Vhost as well as end point mutual tls

Hi,

Currently I have created a VHost. Can I share the same keystore certificate chain used while creation of VHost to configure mutual TLS with the end point?

Regards,

Pratyush

Solved Solved
1 1 126
1 ACCEPTED SOLUTION

The short answer is - YES YOU CAN.

The addendum is - ARE YOU SURE there is a benefit to using this approach?

You could do it. There's nothing preventing you from doing it, technically. You have configured the vhost with a certificate (provisioned in in a keystore) that identifies the proxy to its client. You could use the same certificate to identify the proxy to the backend.

The benefit of such a scenario, in my mind: you have a single cert and keystore to manage and provision. This is of limited value if you have automated the provisioning of these things.

The downsides of this approach: less flexibility in defining the TLS on backend connections. In some cases you may wish to use different certs for different purposes on the backend. Some services might even stipulate which certs are required by clients, which means using "your own cert" won't work.

In any case it's easy to switch back and forth.

View solution in original post

1 REPLY 1

The short answer is - YES YOU CAN.

The addendum is - ARE YOU SURE there is a benefit to using this approach?

You could do it. There's nothing preventing you from doing it, technically. You have configured the vhost with a certificate (provisioned in in a keystore) that identifies the proxy to its client. You could use the same certificate to identify the proxy to the backend.

The benefit of such a scenario, in my mind: you have a single cert and keystore to manage and provision. This is of limited value if you have automated the provisioning of these things.

The downsides of this approach: less flexibility in defining the TLS on backend connections. In some cases you may wish to use different certs for different purposes on the backend. Some services might even stipulate which certs are required by clients, which means using "your own cert" won't work.

In any case it's easy to switch back and forth.