Solved: Re: Different SSL certificate for different web virtualhost

aliver · ‎12-08-2006

Hello!

We have 2 web servers combined in farm via CSS 11500 (v.07.50.1.03) and terminate SSL sessions to these one. Also We have some virtualhosts for different domains on these servers and only one certificate and RSAkey for all on CSS.

So one content with one IP is mapping to one ssl-proxy-list.Now we want to have different certificates for different virtualhosts.

Does it possible? For example map ssl-proxy-list not to VIP IP,but to domain.

Thanks.

Gilles Dufour · ‎12-08-2006

you can have multiple certificates in the CSS but a certificate is by definition [not Cisco but per RFC] assigned to a domain name.

Again, due to the current technologies/RFC, you only see the domain inside the HTTP traffic, and to see the HTTP traffic you need to decrypt and to decrypt it, you need to know the certificate.

Therefore, you have to select the appropriate certificate based on IP/PORT and not on domain.

This is not a limitation of a particular product but how the technology was created.

So, in your case, you can have multiple certificates, assigned to different domain, but each domain must have its own ip:port so that we can identify which certificate to use.

Gilles.

View solution in original post

Gilles Dufour · ‎12-08-2006

you can have multiple certificates in the CSS but a certificate is by definition [not Cisco but per RFC] assigned to a domain name.

Again, due to the current technologies/RFC, you only see the domain inside the HTTP traffic, and to see the HTTP traffic you need to decrypt and to decrypt it, you need to know the certificate.

Therefore, you have to select the appropriate certificate based on IP/PORT and not on domain.

This is not a limitation of a particular product but how the technology was created.

So, in your case, you can have multiple certificates, assigned to different domain, but each domain must have its own ip:port so that we can identify which certificate to use.

Gilles.

aliver · ‎12-10-2006

Thanks,Gilles!

tjcouey · ‎12-12-2006

Sure, its possible. We are currently running with ~15 services and 200+ sites with ~200 ssl certificates. The trick is that you can only run one SSL Cert on each public IP address - and you can only have one active SSL proxy list . You have to configure all of your SSL services and public VIPs in the SSL Proxy list AND the content rule. For example:

==== SSL Proxy List ====

ssl-server 1

ssl-server 1 cipher rsa-with-rc4-128-md5 65.0.0.1 80

ssl-server 1 vip address 65.0.0.1

ssl-server 1 rsacert First_SSL_cert

ssl-server 1 rsakey First_SSL_key

ssl-server 2

ssl-server 2 cipher rsa-with-rc4-128-md5 65.0.0.2 80

ssl-server 2 vip address 65.0.0.2

ssl-server 2 rsacert Second_SSL_cert

ssl-server 2 rsakey Second_SSL_key

==== SSL Service ====

service production_ssl

type ssl-accel

keepalive type none

slot 2

add ssl-proxy-list production

active

==== Content Rule ====

content FirstSite_443

vip address 65.0.0.1

protocol tcp

port 443

add service production_ssl

active

content FirstSite_80

vip address 65.0.0.1

protocol tcp

port 443

add service server1

add service server2

active

content SecondSite_443

vip address 65.0.0.2

protocol tcp

port 443

add service production_ssl

active

content SecondSite_80

vip address 65.0.0.2

protocol tcp

port 443

add service server1

add service server2

active

If you follow this scheme then you should have a very easy to read config and functional too!