Two certs on one VIP IP in CSS

Unanswered Question
Oct 24th, 2008

How can I use two certs for two different hostnames on one VIP IP?

Can I do it with two ssl-proxy-lists with one of the certs in each, two content rules that each match one of the hostnames and redirect to one of two services that sends it to the same SSL module but using the correct ssl-proxy-list? Regards, Arnfinn

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Syed Iftekhar Ahmed Fri, 10/24/2008 - 01:44

only one ssl-proxy-list can be active at the

one time for an SSL module.You can have multiple ssl servers under a proxy list. In each server, you specify the VIP,port cert/key pair to use for authentication.

*BUT* you cannot create a proxy-list with multiple servers, when both servers are using the same VIP & POrt.

With same VIP & Same Port number (443) CSS cannot diffrentiate between the two.

One option could be to use differnt ports for two ssl-servers.

since the traffic is encrypted when it hits the vip, Layer 7 info cannot be used to differentiate traffic.

So only option left is to differentiate traffic by Layer 4 info.

Syed Iftekhar Ahmed


This Discussion