Specifications
Appendix D: HTTPS Cluster Certificates
172 Equalizer Installation and Administration Guide
Equalizer communicates with the clients via HTTPS; the traffic between Equalizer and the servers
in an HTTPS cluster is HTTP (i.e., unencrypted). Compared to the typical scenario where each
server is establishing direct HTTPS connections with clients, encrypting and decrypting packets,
and serving content as well, SSL offloading improves the overall performance of the cluster.
For even better performance, an optional Xcel SSL Acceleration Card can be installed in Equalizer.
With Xcel, all SSL processing is done by the Xcel card, enhancing overall HTTPS throughput. For
more information on Xcel, please visit the Coyote Point website (
www.coyotepoint.com) and
Support Portal (
support.coyotepoint.com)
Note that HTTPS and certificates can be used on servers in Layer 4 TCP and UDP clusters, but you
will need to install a server and client certificate on each server in the cluster (since Equalizer is not
doing any HTTPS/SSL processing in Layer 4). In this scenario, no certificates are installed on
Equalizer.
About Certificates and HTTPS Clusters
Each Layer 7 HTTPS cluster requires a server certificate; a client certificate is optional.
Web servers (such as Apache) and browsers (such as Internet Explorer and Firefox) are delivered
with pre-installed Trusted Root Certificates. Trusted Root Certificates are used to validate the server
and client certificates that are exchanged when an HTTPS connection is established.
Equalizer supports self-signed certificates, as well as signed certificates from Trusted Root
Certificate Authorities and from Certificate Authorities (CAs) without their own Trusted Root CA
certificates. If a CA without its own Trusted Root CA certificate issues your certificate, you will
need to install at least two certificates: a server certificate and a chained root (or intermediate)
certificate for the CA. The intermediate certificate associates the server certificate with a Trusted
Root certificate.
Similarly, if you want to use client certificates with an HTTPS cluster, you’ll need to get a signed
client certificate from a CA, or create a self-signed certificate. A client certificate needs to be
installed on each client that will access the Equalizer cluster, as well as on Equalizer. The same
client certificate can be used on all clients (i.e., you don’t need to buy or create a separate certificate
for each client system).
Just as with server certificates, you may need to install a client certificate and a chained root
certificate, if you obtain your certificates from a CA without its own Trusted Root CA certificate.
Some sites prefer to use self-signed certificates for clients, or set up their own local CA to issue
client certificates.
For several good tutorials on how to get your certificates signed, please see:
http://sial.org/howto/openssl/
Whichever method you choose, follow these general guidelines for certificates you want to use with
Equalizer:
• Equalizer accepts both the x509 PEM or PKCS12 certificate formats; PEM files usually have
a .pem extension; PKCS12 files usually have a .pfx extension. Most CA vendors provide
certificates in PEM format.
• If you are using an Xcel I accelerator card, use a private key bit length that is a multiple of 8
(e.g., 1024, 2048, etc.). This restriction does not apply to newer generation Xcel II cards.
• When uploading certificates to Equalizer, the certificates and private key must be contained in
a single plain text file, in the following order: