I am currently using the ACE4710 to load balance across 3 servers in one server farm that serves a website for our customers. We are using SSL for HTTPS, and the cert was created for that particular domain/site. Management would like to add a website that contains a customer portal login that will also require SSL encryption, but the certificate will be for another domain/site name. My question is can I install multiple SSL certificates into the ACE and how do I bind a specific certificate to the relevent site? Do I need to create another server farm with seperate real servers and a seperate VIP to handle just the site with the corresponding SSL certificate. We JUST renewed our EV cert for the existing website that is currently load balanced, so purchasing a new cert which contains the multiple domains would like to be avoided if possible.
Maybe a simpler way to see this is..if a person wanted to load balance 3 IIS servers serving multiple websites with multiple SSL certificates, how do they correspond the certificates to the relevent sites.
You can upload as many certificates/keys as needed.
You then bind the key and cert under an ssl-proxy service.
For example :
ssl-proxy service CSS11503-2
Then, inside your policy-map, under the appropriate class-map you specify which ssl-proxy to use.
As you will quickly understand, you need one vip per site.
This is required by SSL.
So your policy will be
ssl-proxy server SSL1
ssl-proxy server SSL2
Some people do not want to use a different ip for each site. You then need to order a special ssl certificate which is for multiple domains.
To go on with Gilles' statement,
the basic view for hosting multiple sites is to set a specific certificate for each site, then define a HTTPS virtual server for each site
another view is to use a cross domain (wildcard) certificate with one virtual server if all your sites belong to the same domain, and then match the Host field of the http headers
another view is to use SAN (Subject Alternative Names) certificates if all the hosted sites don't belong to the same domain
another recent solution is to use SNI (server name indication) but the ACE doesn't support at the moment.