Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE combining multiple ssl-certificates & ssl offloading on 1 IP

Hi,

We've configured SSL offloading on a VIP...

policy-map multi-match VIPS-VLANxxx

  class VIP-X.X.X.X-443

    loadbalance vip inservice

    loadbalance policy POLICY-X.X.X.X-443

    loadbalance vip icmp-reply active

    ssl-proxy server star.blah.com

ssl-proxy service star.blah.com

  key star.blah.com

  cert star.blah.com

the offloading is performed by using the wildcard certificate *.blah.com. This works for sites using a hostname *.blah.com...

So far, so good...

However, one of our users is testing his new site (bleh.com). This site is hosted behind the same x.x.x.x VIP. In his local hostfile, he pointed the domainname bleh.com to the same x.x.x.x VIP as we use for blah.com.

What happens next, is that his connection to bleh.com is offloaded by using the certificate *.blah.com (because this is what we've currently configured for the x.x.x.x VIP).

Is there any way to use multiple SSL certs for offloading on the SAME VIP? Or, do we have to use a different VIP where we can configure to do ssl-offloading by using a certificate for bleh.com?

I was hoping to consolidate a lot of VIP's, but right now this issue seems to force me using a VIP per hostname (when using ssl-offloading)

I'm not a cert specialist, my appologies for any weird descriptions...

regards,

Jeroen

Message was edited by: Jeroen Huysmans

1 REPLY
New Member

ACE combining multiple ssl-certificates & ssl offloading on 1 IP

perhaps it is better to use a chaingroup with multiple certs in the ssl-proxy config?

426
Views
0
Helpful
1
Replies
CreatePlease login to create content