Multiple SSL Certs in one SSL Proxy/VIP

Unanswered Question
Nov 2nd, 2010
User Badges:


I have a requirement to be able to provide SSL for two different sites that will resolve to the same VIP.  Ive created alot of SSL sites before and these work a treat with HTTP to HTTPS redirection.

However Im not sure how are take two different SSL certs, and bind them to the same SSL Proxy, inorder for me to add them to the same VIP.  The customer wants to use only port 443.  I had thought about using a secondary port something like 8443, and adding another class under the multi-match policy.

Is this possible at all?  I use a standard L4 class-map in the multi-match policy, that then nests down into L7 class-maps, for URL load balancing.

Because this is a multi-match policy can I just create another L4 Policy, which in turn nests down to a different L7 class-map, allowing me to match the second URL. And thus because I have another L4 policy I can assign a new SSL Proxy?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ciscocsoc Tue, 11/02/2010 - 09:32
User Badges:
  • Silver, 250 points or more


I don't think you can do this directly with the ACE.   A wildcard certificate would work if all the sites were in the same domain. If the addresses are in different domains and a wildcard isn't appropriate, you might be able to use a SAN (Subject Alternative Name) certificate.



xiaolonguk Tue, 11/02/2010 - 11:51
User Badges:


Thanks for the reply, thats what i was thinking. we use wild card certificates for several of the other domains, how we need to provide  certificates for and due to cost.

Is it possible to replace the L4 policy map, with a straight L7 so that we are load balancing directly on URL as apposed to verifying L4 matches first?  Or would this not be advisable / possible.  I always thought it was the L4 policy that made the VIP proxy?

Can SAN certs not be used in this example?


ciscocsoc Wed, 11/03/2010 - 01:22
User Badges:
  • Silver, 250 points or more

You need to do the decryption before you can implement layer7.

Your options seem to be wildcards, SAN, re-negotiate the requirements or use another load-balancer.

Kind Regards


xiaolonguk Wed, 11/03/2010 - 04:25
User Badges:

Thanks Cathy,

Ill try to do this with SAN Certs, you have been a huge help

Thanks once more


This Discussion