cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

4022
Views
0
Helpful
5
Replies
scottmcgillivray
Beginner

Multiple certificates on the same shared SSL VIP possible using a CSS?

Hi again,

Does anyone know if it's possible to use the same VIP with different certificates on a CSS 11503? For example with the below config, contained in the same ssl-proxy-list, have one VIP assigned to multiple certificates.

  ssl-proxy-list TESTPUB_SSL

  ssl-server 100
  ssl-server 100 rsacert site1cert
  ssl-server 100 rsakey site1key
  ssl-server 100 cipher rsa-with-rc4-128-md5 10.20.30.40 80 weight 5
  ssl-server 100 cipher rsa-with-rc4-128-sha 10.20.30.40 80 weight 4
  ssl-server 100 vip address 10.20.30.40
  ssl-server 200
  ssl-server 200 rsacert site2cert
  ssl-server 200 rsakey site2key
  ssl-server 200 cipher rsa-with-rc4-128-md5 10.20.30.40 80 weight 5
  ssl-server 200 cipher rsa-with-rc4-128-sha 10.20.30.40 80 weight 4
  ssl-server 200 vip address 10.20.30.40
  active

I found several discussions on this topic and the conclusion was that it's not possible but these examples were all using multiple ssl-proxy-lists.I'm thinking that if it's in the same proxy-list that it might?

We have a small development/testing setup which I'd like to use one public IP as a front to all the backend servers but two of the backend servers use different SSL cert's. I am planning to use L5 rules to send traffic to the relevant servers/services depending on URL but want to perform SSL offload on the CSS hence why i want multiple certs working off one shared VIP.

Hopefully that makes sense. Thanks for reading and any advice.

Scott

5 REPLIES 5
Gilles Dufour
Cisco Employee

How do you know which certificate to use ???

The reason it's not possible is because the SSL protocol does not allow us to do it.

To see the HTTP request and the url you need to decrypt the traffic.

And to decrypt the traffic you need to know which certificate to use.

Therefore, you have to use the ip address or the tcp port to distinguish the connections and select the appropriate certificate.

Gilles.

ok many thanks, i'll add a 'port 444' clause to one of the ssl-proxy entries to differentiate it.

Scott

Hi scott,

            Has it worked for you ?

I have same scenario. can you please confirm ?

Regards

Ahmed...

sadly you can't use L5/url rules to dictate which certificate is used so I had to just use a differnt port other than 443 for each additional ssl policy i wanted on the same vip.In my case i just used 444 and told the web dev team to link there since it was just a QA environment.

So just use the 'port 444' option within both the content and ssl-proxy-list config stanzas to link the VIP to the correct ssl cert.

hope that helps

Scott

thanks scott,

                  I am with customer now and genearted 2 CSRs and send them to verisign.

I will do as you explain and will update you.

Regards

Ahmed...