Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Mulitple SSL certs w/single vip

How would I have two urls point to one vip with ssl termination enabled on the ace. Is it as simple as adding the second cert/key pair to the ssl-proxy service?

7 REPLIES
Cisco Employee

Re: Mulitple SSL certs w/single vip

NO !!!

A certificate is always associated to a singe website/server name and your server name will resolved to a single ip address which is a vip.

In other words, you need 2 vip if you have 2 websites.

Another reason is that you only know the Hostname inside the client request after decrypting the traffic and to decrypt the traffic you need to know which certificate to use.

Therefore you can't use a single vip for 2 websites as you won't be able to determine which certificate to use.

Gilles.

New Member

Re: Mulitple SSL certs w/single vip

Gilles

Would a wildcard certificate work in this sitution?

*.abc.com

Cisco Employee

Re: Mulitple SSL certs w/single vip

Yes.

A wildcard certificate is a good solution assuming your sites are part of the same domain.

In this case a single certificate is enough to the SSL part and you can then use the decoded info to detect which website the client is looking for.

Gilles.

New Member

Re: Mulitple SSL certs w/single vip

Hi Gilles,

I'm trying to set up something similar (Wildard cert for multiple sites using the same domain). Could you please share a sample configuration?

Thanks,

John

New Member

Re: Mulitple SSL certs w/single vip

You can also associate more than one URL within your Cert. This would allow you to install just the one cert rather than having the cost and maint. of two.

New Member

Re: Mulitple SSL certs w/single vip

If I were to use a single certificate for all the hosts within the same domain, what would be the common-name while setting up csr-params.

For e.g.: Domain is : xyz.com

Will the common name be : *.xyz.com

i.e. under 'crypto csr-params' it will be like 'common-name *.xyz.com'.

Please confirm.

Thanks.

Re: Mulitple SSL certs w/single vip

You are right.

common-name *.xyz.com

in the csr-param will do.

Syed iftekhar Ahmed

136
Views
5
Helpful
7
Replies