.pem keys for server to server tls/ssl encryption

I’m attempting to set up tls/ssl communication between two servers, a front end server and a back end server. I’m currently using letsencrypt on the front end server and have successfully created certificates for two domains that are hosted on said server. Both of which are using Nginx as the web server.

I’m attempting to secure communication between the front end and the back end and am confused as to how I should add the .pem files to the back end. I’m uncertain as to whether I should add a separate A record for the domain to the back end server in order to create the certificate keys (my gut says no but I’m not sure). Or if I’m supposed to copy the .pem file from the front end server to the back end .ssl directory (this seems wrong as well since it may be less automated?)

I’m using mongodb on the back end and have found a couple tutorials on this subject but they are less clear when it comes to the details of this issue.

Any help is greatly appreciated.


Hi @paragonss

there are different options:

  • Does your frontend accepts a self signed certificate to connect the backend? Or is it possible to configurae your frontend, so a self signed certificate is ok? If yes, that’s the easiest solution. Create a self signed certificate (10 - 20 years), then use that. Install it - and forget it.
  • You can create a wildcard certificate with your frontend domain name, your backend should have a matching domain name -> use the wildcard.
  • Create a certificate via dns validation -> no ip address, no running webserver is required.

But (1) is the easiest version. Then no renew is required.

1 Like

Hi @JuergenAuer

Thanks for your quick response! I was concerned whether using a self-signed cert would offer enough security or not but I will look more into it.

If I go with option two and use a wildcard (I assume I would use -d mydomain.com -d *.mydomain.com instead of the -d www.mydomain.com?), then I would I be able to simply add a certificate to the backend with the subdomain and then allow them both to auto-renew? Logically it seems this may be a simple enough solution, but am I missing anything?

I’d also like to authenticate the front end server (to help prevent MITM) using the .ca file (which appears to be equivalent to the chain.pem file. My question is, if there are multiple chain files, e.g., chain1.pem, chain2.pem, then would I simply concatenate them into a single chain file?

1 Like

A self-signed certificate is more secure in some ways than a CA-issued certificate if you personally issue and verify it for your own services. The CA doesn't have any special ability to increase the cryptographic strength of TLS connections, only to verify domain ownership in a way that the general public can trust. If you don't need the general public to trust the verification of domain ownership, and you can verify the domain ownership yourself, you're in a better position than relying on a CA.


Thank you for the information @schoen! This seems logical to me.

I use the same. On my Database server, there is a web service, only used by the database server. The web service is able to send mails, fetch websites etc.

It's good to use encryption, that allows some additional features (now http/2).

First I wanted to use the wildcard certificate of the webserver. But that's not really required. So I've created a self signed certificate with a long duration - now I can forget it and it works.


Thanks @JuergenAuer! I really appreciate your input!

This is true, though I would rephrase this as: If you personally issue it and configure your own services to verify it correctly. Any process that involves asking humans to manually verify a certificate is failure-prone and less secure. However, if you configure your services to recognize only that self-signed certificate, I agree with this statement in broad terms.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.