Confusion regarding generating self signed certificate for application portal developed using liferay

Question

We have a Application Portal developed using Liferay bundled with tomcat. There are two application servers running liferay and we use httpd as a front-end which forwards requests to application server using load balancing . For load balancing in apache httpd , we are using mod_proxy_balancer .

Now , there is a requirement for us to enable SSL for the application Portal . Initially my plan is to try with self signed certificate .

My confusion is whether I need to generate certificate for httpd or tomcat . Since httpd does not serve any content and just forwards request , if I generate self signed certificate for httpd , only the HomePage of application portal will be SSL enabled , rest of the Webpages including Sign In will not be using SSL. In that case I can generate certificate for tomcat so that all webpages are served using SSL.

Answer 1

As httpd is working as a front-end, then clients connecting to the service will be communicating with httpd and not tomcat; httpd takes care of forwarding the request to tomcat and passing the response back to the client.

When you implement SSL then the logical place for doing that is in httpd; hence httpd is where the SSL processing needs to be done.

Only if clients communicate directly with tomcat would it make sense for tomcat to do the SSL processing, but then you don't have a load-balanced solution via httpd.