Mulitple SSL certs w/single vip

ehgotz · ‎05-19-2008

How would I have two urls point to one vip with ssl termination enabled on the ace. Is it as simple as adding the second cert/key pair to the ssl-proxy service?

Gilles Dufour · ‎05-19-2008

NO !!!

A certificate is always associated to a singe website/server name and your server name will resolved to a single ip address which is a vip.

In other words, you need 2 vip if you have 2 websites.

Another reason is that you only know the Hostname inside the client request after decrypting the traffic and to decrypt the traffic you need to know which certificate to use.

Therefore you can't use a single vip for 2 websites as you won't be able to determine which certificate to use.

Gilles.

harrjd222 · ‎05-19-2008

Gilles

Would a wildcard certificate work in this sitution?

*.abc.com

Gilles Dufour · ‎05-20-2008

Yes.

A wildcard certificate is a good solution assuming your sites are part of the same domain.

In this case a single certificate is enough to the SSL part and you can then use the decoded info to detect which website the client is looking for.

Gilles.

jrossiter7311 · ‎10-14-2008

Hi Gilles,

I'm trying to set up something similar (Wildard cert for multiple sites using the same domain). Could you please share a sample configuration?

Thanks,

John

carlsond · ‎05-30-2008

You can also associate more than one URL within your Cert. This would allow you to install just the one cert rather than having the cost and maint. of two.

new_networker · ‎10-25-2008

If I were to use a single certificate for all the hosts within the same domain, what would be the common-name while setting up csr-params.

For e.g.: Domain is : xyz.com

Will the common name be : *.xyz.com

i.e. under 'crypto csr-params' it will be like 'common-name *.xyz.com'.

Please confirm.

Thanks.

Syed Iftekhar Ahmed · ‎10-25-2008

You are right.

common-name *.xyz.com

in the csr-param will do.

Syed iftekhar Ahmed