On a single machine, re-use SSL certificate between services, or generate multiple certificates?

Assume a machine has multiple management UIs, like for example Cockpit and Monit. Both can do SSL.

Do best practices dictate using distinct certificates for either service? Or is it OK to reuse a single certificate since both are maintained by the same team, and run on the same machine.

I assume two SSL enabled services maintained by two different teams would not reuse the SSL certificate?

Solution 1:

You could go either way, depending on your specific needs. It's even fairly common to see different certs used for the same service on the same port.

The user agent doesn't care about whether the certificate is the same, only whether it is valid and correctly signed by a trusted CA.

It usually greatly simplifies administration for all services that share a DNS hostname to use the same certificate. But if you have a specific need to do so (which you didn't mention) then using different certs is perfectly fine.

Solution 2:

While it may be convenient and practical to use the same certificate, do bear in mind that if the certificate profile requirements for the various services differ, you may need to consider issuing multiple certificates.

If the services are all HTTPS servers for example, the profile should be the same. On the other hand, if one service requires client authentication certificates, then it may be worth considering another certificate for this use case.

In addition, if you're using different SNI names for each service you may find yourself renewing/modifying the single certificate each time you add a new service in order to add the new name.