Mulitple SSL certs w/single vip

Unanswered Question
May 19th, 2008
User Badges:

How would I have two urls point to one vip with ssl termination enabled on the ace. Is it as simple as adding the second cert/key pair to the ssl-proxy service?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Gilles Dufour Mon, 05/19/2008 - 07:37
User Badges:
  • Cisco Employee,

NO !!!

A certificate is always associated to a singe website/server name and your server name will resolved to a single ip address which is a vip.


In other words, you need 2 vip if you have 2 websites.


Another reason is that you only know the Hostname inside the client request after decrypting the traffic and to decrypt the traffic you need to know which certificate to use.

Therefore you can't use a single vip for 2 websites as you won't be able to determine which certificate to use.


Gilles.

harrjd222 Mon, 05/19/2008 - 15:56
User Badges:

Gilles

Would a wildcard certificate work in this sitution?



*.abc.com



Gilles Dufour Tue, 05/20/2008 - 00:54
User Badges:
  • Cisco Employee,

Yes.

A wildcard certificate is a good solution assuming your sites are part of the same domain.

In this case a single certificate is enough to the SSL part and you can then use the decoded info to detect which website the client is looking for.


Gilles.

jrossiter7311 Tue, 10/14/2008 - 18:21
User Badges:

Hi Gilles,


I'm trying to set up something similar (Wildard cert for multiple sites using the same domain). Could you please share a sample configuration?


Thanks,


John

carlsond Fri, 05/30/2008 - 06:27
User Badges:

You can also associate more than one URL within your Cert. This would allow you to install just the one cert rather than having the cost and maint. of two.

new_networker Sat, 10/25/2008 - 23:00
User Badges:


If I were to use a single certificate for all the hosts within the same domain, what would be the common-name while setting up csr-params.


For e.g.: Domain is : xyz.com


Will the common name be : *.xyz.com


i.e. under 'crypto csr-params' it will be like 'common-name *.xyz.com'.


Please confirm.


Thanks.

Syed Iftekhar Ahmed Sat, 10/25/2008 - 23:47
User Badges:
  • Blue, 1500 points or more

You are right.


common-name *.xyz.com


in the csr-param will do.


Syed iftekhar Ahmed

Actions

This Discussion