Showing results for 
Search instead for 
Did you mean: 

ACE 4710 Multiple Server Farms and Multiple SSL Certs?

I am currently using the ACE4710 to load balance across 3 servers in one server farm that serves a website for our customers. We are using SSL for HTTPS, and the cert was created for that particular domain/site. Management would like to add a website that contains a customer portal login that will also require SSL encryption, but the certificate will be for another domain/site name. My question is can I install multiple SSL certificates into the ACE and how do I bind a specific certificate to the relevent site? Do I need to create another server farm with seperate real servers and a seperate VIP to handle just the site with the corresponding SSL certificate. We JUST renewed our EV cert for the existing website that is currently load balanced, so purchasing a new cert which contains the multiple domains would like to be avoided if possible.

Maybe a simpler way to see this is..if a person wanted to load balance 3 IIS servers serving multiple websites with multiple SSL certificates, how do they correspond the certificates to the relevent sites.

Cisco Employee

Re: ACE 4710 Multiple Server Farms and Multiple SSL Certs?

You can upload as many certificates/keys as needed.

You then bind the key and cert under an ssl-proxy service.

For example :

ssl-proxy service CSS11503-2
  key css11503-2-key.pem
  cert css11503-2-cert.pem

Then, inside your policy-map, under the appropriate class-map you specify which ssl-proxy to use.

As you will quickly understand, you need one vip per site.

This is required by SSL.

So your policy will be

policy ....

   class site1

      ssl-proxy server SSL1

    class site2

       ssl-proxy server SSL2

Some people do not want to use a different ip for each site.  You then need to order a special ssl certificate which is for multiple domains.



Re: ACE 4710 Multiple Server Farms and Multiple SSL Certs?

To go on with Gilles' statement,

the basic view for hosting multiple sites is to set a specific certificate for each site, then define a HTTPS virtual server for each site

another view is to use a cross domain (wildcard) certificate with one virtual server if all your sites belong to the same domain, and then match the Host field of the http headers

another view is to use SAN (Subject Alternative Names) certificates if all the hosted sites don't belong to the same domain

another recent solution is to use SNI (server name indication) but the ACE doesn't support at the moment.

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards