cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
504
Views
0
Helpful
9
Replies

multiple certificates

followurself
Level 1
Level 1

Hi,

We have 2 css in our network one we use in production and other in a testing enviornment. each has one ssl module. we dnt run them in failover mode. but if the prod fails for some reason we use testing to connect. now w have trouble loading the certificates and copying the config from prod. what we want is load the certificate on testing css and configure the ports.if in case our prod fails we just have to swap the cables.

quest

1) can we load multiple certificates on css and to a single ssl module.How to tht? can we get the config?

Thanks

9 Replies 9

Gilles Dufour
Cisco Employee
Cisco Employee

you can upload multiple certificates into the CSS.

You can see all your files with the command 'show ssl file'.

You then create an association for each file.

Use the command 'show ssl associate' to verify which association you have.

Then inside your ssl-proxy-list, you can have multiple ssl-server.

Each server has a unique id.

You can use different certificate/key for each server.

ie:

ssl-proxy-list gdufour

ssl-server 1

ssl-server 1 rsakey LabKey

ssl-server 1 rsacert LabCert

<..>

ssl-server 2 rsakey ProdKey

ssl-server 2 rsacert ProdCert

<...>

Gilles.

Thanks Giles for the reponse, can you guide me with some link which explains me on how to upload multiple certificates and associate them with a file

can u pls tell me in brief the steps

as i understand

load certifiate, load key, create ssl proxy list, content rule, owner..pls can u let em know the order

followurself
Level 1
Level 1

so i can load the other certificate on the test CSS, replicate the config from prod to test css..in this way i have 2 certfficates, one ssl module, multipl configuration..so it work am i right

followurself
Level 1
Level 1

Hello Giles,

i was reading one of your replies in a forum regarding GSLB..is GSLB only failover for servers? well in the post of mine i said about multiple certificates to be loaded on css? few days back we raised a question to our isp to provide us BGP failover. they too mentioned abt gslb but i wasnt convinced. wht we want

ISP 1---site 1---css1-- Pri web servers

ISP 2---site 2---css2---sec web servers

as i understand when the requests comes to css1 (assuming gslb is configured between css1 and css2) it acts like dns and send the traffic to pri web servers...so theres some comunication between css1 and pri webserves ..some kind of keepalive..for request to come in to css1 , my link with isp1 or the path to isp1 on the internet shd be available...my question is , wht if the lilnk to isp 1 fails, or isp 1 is not available over the internet, how will the requests get routed via isp2 to css 2 and then sec web servers..wht kind of intelligence will make it happen..BGP is implemented to do failover ISP's, will GLSB help in doing the same

GSLB works with dns.

It lets the CSS (or more preferable a GSS - global site selector) respond to dns queries.

The GSS or CSS uses keepalive to see which site is available before responding.

2 dns entries would be configured in the upstream dns server so that if one site is not available, the dns request can be sent to the other site.

There are a few documents talking about gslb on our website.

You should be able to find them.

Gilles.

Hi Giles,

can you pls be let me knw more..but does tht mean if link with one isp or isp itself is nt reachable on the internet, how will packet get routed over to the other site..can you pls let me know how it wrks iwth gslb..where will the upstream DNS reside..i need understanding how will packet will be routed over internet to the other site if primary isp is nt available.as as customer wht i need to do and at the isp level wht needs to be done?

hello Giles,

will appreciate if you can reply.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: