Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4576
Views
0
Helpful
5
Replies

Multiple certificates on the same shared SSL VIP possible using a CSS?

scottmcgillivray
Level 1
Level 1

‎02-27-2011 07:54 AM

Hi again,

Does anyone know if it's possible to use the same VIP with different certificates on a CSS 11503? For example with the below config, contained in the same ssl-proxy-list, have one VIP assigned to multiple certificates.

  ssl-proxy-list TESTPUB_SSL

  ssl-server 100
  ssl-server 100 rsacert site1cert
  ssl-server 100 rsakey site1key
  ssl-server 100 cipher rsa-with-rc4-128-md5 10.20.30.40 80 weight 5
  ssl-server 100 cipher rsa-with-rc4-128-sha 10.20.30.40 80 weight 4
  ssl-server 100 vip address 10.20.30.40
  ssl-server 200
  ssl-server 200 rsacert site2cert
  ssl-server 200 rsakey site2key
  ssl-server 200 cipher rsa-with-rc4-128-md5 10.20.30.40 80 weight 5
  ssl-server 200 cipher rsa-with-rc4-128-sha 10.20.30.40 80 weight 4
  ssl-server 200 vip address 10.20.30.40
  active

I found several discussions on this topic and the conclusion was that it's not possible but these examples were all using multiple ssl-proxy-lists.I'm thinking that if it's in the same proxy-list that it might?

We have a small development/testing setup which I'd like to use one public IP as a front to all the backend servers but two of the backend servers use different SSL cert's. I am planning to use L5 rules to send traffic to the relevant servers/services depending on URL but want to perform SSL offload on the CSS hence why i want multiple certs working off one shared VIP.

Hopefully that makes sense. Thanks for reading and any advice.

Scott

Labels:
0 Helpful
5 Replies 5

Gilles Dufour
Cisco Employee
Cisco Employee

‎02-28-2011 08:02 AM

How do you know which certificate to use ???

The reason it's not possible is because the SSL protocol does not allow us to do it.

To see the HTTP request and the url you need to decrypt the traffic.

And to decrypt the traffic you need to know which certificate to use.

Therefore, you have to use the ip address or the tcp port to distinguish the connections and select the appropriate certificate.

Gilles.

0 Helpful

scottmcgillivray
Level 1
Level 1
In response to Gilles Dufour

‎02-28-2011 09:33 AM

ok many thanks, i'll add a 'port 444' clause to one of the ssl-proxy entries to differentiate it.

Scott

0 Helpful

ahmed.gadi
Level 1
Level 1
In response to scottmcgillivray

‎05-25-2011 11:39 PM

Hi scott,

            Has it worked for you ?

I have same scenario. can you please confirm ?

Regards

Ahmed...

0 Helpful

scottmcgillivray
Level 1
Level 1
In response to ahmed.gadi

‎05-26-2011 12:26 AM

sadly you can't use L5/url rules to dictate which certificate is used so I had to just use a differnt port other than 443 for each additional ssl policy i wanted on the same vip.In my case i just used 444 and told the web dev team to link there since it was just a QA environment.

So just use the 'port 444' option within both the content and ssl-proxy-list config stanzas to link the VIP to the correct ssl cert.

hope that helps

Scott

0 Helpful

ahmed.gadi
Level 1
Level 1
In response to scottmcgillivray

‎05-26-2011 02:26 AM

thanks scott,

                  I am with customer now and genearted 2 CSRs and send them to verisign.

I will do as you explain and will update you.

Regards

Ahmed...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents