Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SSL offload on ACE

deploying an application using GSS and ACE.each site will have 2 ACEs in Active Standby mode ,and GSS  at each site to do the global loadbalancing .

Wondering ,on all ACEs  do I need to have same certs and keys .

As I will create CSR parameters and Key and get the certs from CA ,and install on the primary keys and imports the same certs on the secondary.Will it be applicable to all other remaining 3 ACEs.

or on each primary ACEs in need to create CSR parameters and generate a key ,and imports the certs onto the failover.

Experts help me in understanding on this

3 REPLIES
Cisco Employee

SSL offload on ACE

Hi

You need to have a correct certificate for each domain name or wilecard certificate. E.g. you have web sites: my.domain.net, yours.domain.net , test.nice.com. So on all ACEs you need to have correct certificates for each domain (or if wilecard - one for domain *.domain.net, and one for *.nice.com). These certificates can be the same or can be different, the only things wich matters is for what domain they are issued.

You can have the same keys and certificates on all your ACEs and actually, from manageability and scalability point of view, it seems to be the best approach.

New Member

SSL offload on ACE

Hi Borys Berlog ,thanks for your response .

But wondering ,I will have 2 pair of ACEs at each site ,in active standby mode .They will be hosting seperate domain names ,but the backend apps will be same at both the locations.

In such scenario ,Do I need to generate key and CSR on ACE inorder to get the certs ,or they do the server team provide me the certs and the key .

How will this work ,Please help me on this

Cisco Employee

SSL offload on ACE

Hi

The purpose of certificate is to ensure that site you're connecting to is really site you expect it to be. Thus certificate is connected to DNS name of the site. Browser checks if domain name in certificate corresponds to name you use to access this site. If no - browser will show you a Security alert. You can ignore it and continue and it will work.

So, to have everything working nice you need to have a different certificate for each domain name or have a wilecard certificate.

E.g. you have 3 VIPs on ACE : 1.1.1.1 , 2.2.2.2, 3.3.3.3 and DNS condifured like :

nice.domain.net = 1.1.1.1

bad.domain.net = 2.2.2.2

test.test.com = 3.3.3.3

so in this case you need either have 3 certificates for each domain name or one certificate for test.test.com and one wilecard for *.domain.net. They can be provided by server team, depends on scope of responsibilities you have in your organization.

However you can configure ACE with any certificate , it will work, just client will see Security alert in his browser that certificate doesn't correspond to site.

427
Views
0
Helpful
3
Replies