Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Different SSL certificate for different web virtualhost

Hello!

We have 2 web servers combined in farm via CSS 11500 (v.07.50.1.03) and terminate SSL sessions to these one. Also We have some virtualhosts for different domains on these servers and only one certificate and RSAkey for all on CSS.

So one content with one IP is mapping to one ssl-proxy-list.Now we want to have different certificates for different virtualhosts.

Does it possible? For example map ssl-proxy-list not to VIP IP,but to domain.

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Different SSL certificate for different web virtualhost

you can have multiple certificates in the CSS but a certificate is by definition [not Cisco but per RFC] assigned to a domain name.

Again, due to the current technologies/RFC, you only see the domain inside the HTTP traffic, and to see the HTTP traffic you need to decrypt and to decrypt it, you need to know the certificate.

Therefore, you have to select the appropriate certificate based on IP/PORT and not on domain.

This is not a limitation of a particular product but how the technology was created.

So, in your case, you can have multiple certificates, assigned to different domain, but each domain must have its own ip:port so that we can identify which certificate to use.

Gilles.

3 REPLIES
Cisco Employee

Re: Different SSL certificate for different web virtualhost

you can have multiple certificates in the CSS but a certificate is by definition [not Cisco but per RFC] assigned to a domain name.

Again, due to the current technologies/RFC, you only see the domain inside the HTTP traffic, and to see the HTTP traffic you need to decrypt and to decrypt it, you need to know the certificate.

Therefore, you have to select the appropriate certificate based on IP/PORT and not on domain.

This is not a limitation of a particular product but how the technology was created.

So, in your case, you can have multiple certificates, assigned to different domain, but each domain must have its own ip:port so that we can identify which certificate to use.

Gilles.

New Member

Re: Different SSL certificate for different web virtualhost

Thanks,Gilles!

New Member

Re: Different SSL certificate for different web virtualhost

Sure, its possible. We are currently running with ~15 services and 200+ sites with ~200 ssl certificates. The trick is that you can only run one SSL Cert on each public IP address - and you can only have one active SSL proxy list . You have to configure all of your SSL services and public VIPs in the SSL Proxy list AND the content rule. For example:

==== SSL Proxy List ====

ssl-server 1

ssl-server 1 cipher rsa-with-rc4-128-md5 65.0.0.1 80

ssl-server 1 vip address 65.0.0.1

ssl-server 1 rsacert First_SSL_cert

ssl-server 1 rsakey First_SSL_key

ssl-server 2

ssl-server 2 cipher rsa-with-rc4-128-md5 65.0.0.2 80

ssl-server 2 vip address 65.0.0.2

ssl-server 2 rsacert Second_SSL_cert

ssl-server 2 rsakey Second_SSL_key

==== SSL Service ====

service production_ssl

type ssl-accel

keepalive type none

slot 2

add ssl-proxy-list production

active

==== Content Rule ====

content FirstSite_443

vip address 65.0.0.1

protocol tcp

port 443

add service production_ssl

active

content FirstSite_80

vip address 65.0.0.1

protocol tcp

port 443

add service server1

add service server2

active

content SecondSite_443

vip address 65.0.0.2

protocol tcp

port 443

add service production_ssl

active

content SecondSite_80

vip address 65.0.0.2

protocol tcp

port 443

add service server1

add service server2

active

If you follow this scheme then you should have a very easy to read config and functional too!

241
Views
0
Helpful
3
Replies
CreatePlease to create content