IAM in Service Catalog
Doc Audience: developers of applications using Public Key certificates to access services like Person Directory Service, Groups Directory Service, etc.
Doc Status: Drafty, but useful? Not yet reviewed.
If I have two apps that could be described in one of the following ways:
should I establish a distinct DNS name and certificate/public-key-pair for each application? Or might multiple apps share the DNS name and certificate / key-pair?
USE DISTINCT DNS NAMES, CERTS, KEY PAIRS: The Identity and Access Management group recommends using distinct DNS names (and certs and key pairs) to identify each application (of perhaps several) in the following situations:
Multiple instances of the same application (that run, for example, as a replicated or backup service or in a clustered environment) may share a single DNS name, key pair and client certificate to minimize unreasonable administrative overhead without compromising security objectives.
Using a distinct DNS name, key pair and certificate for each app is typically a best practice for the following reasons:
If the points above are not that relevant to your apps (and some of the points above tend become moot if the apps have near identical security models and run on the same host), then it wouldn't make a whole lot of difference if you used one DNS name/cert or two. And we wouldn't refuse you access if you set it up to use one cert rather than two.
Still, possible future changes to your app, or to our environment in general, are more likely to increase the usefulness of having separate DNS names/certs, so that's what the Identity and Access Management group recommends.