is it possible to use single ssl certificate for multiple server farm with different FQDN?

Answered Question
Jun 29th, 2010

Hi

We generated the CSR request for versign secure site pro certificate /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;} SSL Certificate for cn=abc.com   considering abc.com as our major domain. now we have servers in this domain like    www.abc.com,   a.abc.com , b.abc.com etc. we installed the verisign certificate and configured ACE-20 accordingly for ssl-proxy and we will use same certificate gerated for abc.com for all servers like www.abc.com , a.abc.com , b.abc.com etc. Now when we are trying to access https//www..abc.com or https://a.abc.com through mozilla , we are able to access the service but we are getting this message in certfucate status " you are connected to abc.com which is run by unknown "

And the same message when trying to access https://www.abc.com from Google Chrome.

"This is probably not the site you are looking for! You attempted to reach www.abc.com, but instead you actually reached a server identifying itself as abc.com. This may be caused by a misconfiguration on the server or by something more serious. An attacker on your network could be trying to get you to visit a fake (and potentially harmful) version of adgate.kfu.edu.sa. You should not proceed"

so i know as this certficate is for cn=abc.com that is why we are getting such errors/status in ssl certficate.

Now my question is


1. Is is possible to  remove above errors doing some ssl configuration on ACE?

2. OR we have to go for VerisgnWildcard Secure Site Pro Certificate  for CSR generated uisng cn =abc.com to be installed on ACE  and will be used  for all servers like  www.abc.com , a.abc.com etc..

Thanks

Waliullah

I have this problem too.
0 votes
Correct Answer by Sean Merrow about 6 years 5 months ago

Hi Wali,

You will either need a separate certficate for each unique FQDN, or a wildcard cert that will match all of them.  That is the only way the browser will not complain to the end user.

Sorry for the confusion.

Sean

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Sean Merrow Tue, 06/29/2010 - 06:19

If you want to use the same VIP and port number for multiple FQDNs, then you will need to get a wildcard certificate.  Currently, if you enter www.abc.com in your browser, that is what the browser expects to see in the certificate.  And right now it won't beause your certificate is for abc.com.  You need a wildcard cert that will be for something like *.abc.com.

Hope this helps,

Sean

KFU NOC Tue, 06/29/2010 - 06:44

Hi Sean

Thanks for your reply! we rae not sharing VIPS , we have dedicated  VIP  for each FQDN , so in this case is it possible ? to use the single certificate generated for cn=abc.com to be used with www.abc.com , a.abc.com etc and not getting any cn name issue in certificate.

Thansk

Wali

Correct Answer
Sean Merrow Tue, 06/29/2010 - 06:59

Hi Wali,

You will either need a separate certficate for each unique FQDN, or a wildcard cert that will match all of them.  That is the only way the browser will not complain to the end user.

Sorry for the confusion.

Sean

Actions

This Discussion