Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

How many CSS SSL certificates needed?

Unanswered Question
Nov 28th, 2005
User Badges:

From reading the CSS SSL Configuration Guide, it seems that one certificate is needed for each virtual SSL server (or VIP), regardless of how many servers are being load-balanced behind that VIP, but that is not made very clear. Also, it appears that a separate certificate is required for each virtual SSL server. Can someone please confirm or correct this for me? Thank You.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Mon, 11/28/2005 - 11:30
User Badges:
  • Cisco Employee,

a certificate is usually linked to a domain name.

So, it does not matter how many vip or servers you have.

The most important is the domain.

There is also wild card certificates that can regroup multiple domain name.

I would suggest you to ask your certificate provider what is required in your case.

If he questions your equipment just say you have 1 apache server.



eleibowitz Mon, 11/28/2005 - 13:27
User Badges:


Thanks for the quick response. Your response prompted me to check Verisign's SSL Certificate FAQs, restated and elaborated on your answer.

eleibowitz Thu, 12/01/2005 - 12:25
User Badges:

A quick (I hope) follow-up question on this...

Given multiple domain names being load-balanced by a CSS with a single SSL module, would I need different key and cert associations? I am thinking of something like this:

ssl associate rsakey prodkey prodkey.pem

ssl associate cert prodcert prodcert.pem

ssl associate dhparam proddh proddh.pem

ssl associate rsakey intkey intkey.pem

ssl associate cert intcert intcert.pem

ssl associate dhparam intdh intdh.pem

Gilles Dufour Thu, 12/01/2005 - 23:56
User Badges:
  • Cisco Employee,

you are correct.

If you have multiple domain and each one has its own key/cert, you will need to import all the files and associate them.

FYI, I never saw any site where DH was being used.

So you most probably do not need it.



This Discussion