Multiple SSL certificates on one VIP

jason.williams · ‎04-07-2011

Here's what I want to do. I'm kind of an ACE newbie so wanted to put this out there before I even attempted it.

We have load balanced web servers behind the ACE that host multiple websites. Previously SSL was performed on the web servers and separate IP addreses were required for each site.

I'd like to consolidate/eliminate some IP waste and try to use only one VIP. Is it possible to tie multiple certificates to a single VIP? Content delivery would be done through host headers.

Thanks.

Jason

jsirstin · ‎04-07-2011

Jason,

What you want to do is possible if you have a wild card cert, or a Subject Alternative Name (SAN) cert. You can only have one cert in the proxy service. You need a cert that is valid for all domains you are using to this VIP to avoid the client getting security warnings

Hope that help

Best regards

Jim

jason.williams · ‎04-07-2011

I thought of that after I hit post. Actually, each site currently has its own VIP, at least it should. The issue we currently have is that the certificates are currently located on the web servers. In order to prevent this exact issue, each hosted HTTPS site needs a unique IP address on each server. So if we have one site on 3 servers, that's 3 IPs being used. Multiply that by 30 sites or so and you're wasting quite a few IP addresses.

What I want to do is move the certificates up to the ACE and apply them to the appropriate VIP. Then have the ACE forward the request to the web server on port 80 and the web server will serve the content based on the host header. So now we are only using one IP address per web server rather than one IP per web site.

Make sense?

Thanks.

Jason

jsirstin · ‎04-07-2011

Jason,

That makes perfect sense. I have seen others do this same thing.

Regards

Jim