SSL and replacing the Certificate with a new one


#1

Currently, I have a Server configuration with a Web Server and a Database Server. The Web Server has an LE SSL on it that’s working properly. Soon, I plan on upgrading to a Layer 4 HAProxy Setup, and was hoping to clone the Web Server onto a 2nd Web Server accordingly.

My issue is this…once I clone WebServer1 onto WebServer2, I’ll have exactly the same LE SSL Certificate on WebServer2 that I have on WebServer1. So…questions;

• Is using the same certificate on 2 or more different Web Servers doable?

• If the answer to the above is NO (which I’m assuming), then how would I go about replacing the cloned LE SSL Certificate with a new one on WebServer2?

Thanks for reading.


#2

I’m assuming both servers will serve content for the same hostname. In that case you can perfectly use the same certificate.

The only downside is that if one of the two servers gets compromised and you’re forced to revoke the certificate, automatically the certificate of the other server will get revoked too. So you’ve got a single point of failure.


#3

Thanks for the feedback. After reading your reply, I’m convinced I have to use two different certificates. Might you know how I would replace the LE SSL Certificate on WebServer2 with a fresh new one?


#4

Well, you don’t have to, but it really depends on your needs and wants. It’s perfectly fine to share a certificate across multiple machines. All you need to keep in mind is that it’s the same and any expiration or revocation will affect all systems on which it is used.

As for a new certificate, if you don’t have any others you wish to preserve on the new server, you can remove the /etc/letsencrypt directory to wipe the old stored data.