代理服务器上的 SSL 证书与原始服务器上的 SSL 证书

Question

So I am setting up a reverse-proxy that will be visible from internet. I will install an intermediate CA signed SSL Cert on the reverse-proxy. The reverse-proxy will terminate the original SSL connection but will do another SSL connection to the origin server over and forward the application traffic.

If my domain is acme.com then the SSL Cert on my reverse-proxy will have a cn: acme.com . My origin server will have a self-signed SSL Cert. My question is should I use the same cn: acme.com on the SSL cert installed on the origin server even though it is not directly accessible by end user? What are the pros and cons of not using cn: acme.com on the self-signed origin server?

Answer 1

The subject of the certificate for the internal server does not matter if explicitly trust this specific certificate for example by fingerprint in your reverse proxy (ie not blindly trust everything). But trusting a specific certificate means that you also need to change which certificate you trust if the internal setup changes (ie new certificate). This can be especially a problem if you don't fully control the internal setups.

It would scale better if you don't use self-signed certificates but instead certificates issued by an internal CA. In this case it is enough to trust the internal CA in your proxy as long as the subject of the certificate matches the domain. This makes it possible to change the internal certificate independently from the proxy setup as long the subject still matches the domain and the certificate is still issued by the trusted internal CA.