Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1201
Views
0
Helpful
4
Replies

Multiple SSL Certs in one SSL Proxy/VIP

xiaolonguk
Level 1
Level 1

‎11-02-2010 09:05 AM

Guys

I have a requirement to be able to provide SSL for two different sites that will resolve to the same VIP.  Ive created alot of SSL sites before and these work a treat with HTTP to HTTPS redirection.

However Im not sure how are take two different SSL certs, and bind them to the same SSL Proxy, inorder for me to add them to the same VIP.  The customer wants to use only port 443.  I had thought about using a secondary port something like 8443, and adding another class under the multi-match policy.

Is this possible at all?  I use a standard L4 class-map in the multi-match policy, that then nests down into L7 class-maps, for URL load balancing.

Because this is a multi-match policy can I just create another L4 Policy, which in turn nests down to a different L7 class-map, allowing me to match the second URL. And thus because I have another L4 policy I can assign a new SSL Proxy?

Thanks

Labels:
0 Helpful
4 Replies 4

ciscocsoc
Level 4
Level 4

‎11-02-2010 09:32 AM

Hi,

I don't think you can do this directly with the ACE.   A wildcard certificate would work if all the sites were in the same domain. If the addresses are in different domains and a wildcard isn't appropriate, you might be able to use a SAN (Subject Alternative Name) certificate.

HTH

Cathy

0 Helpful

xiaolonguk
Level 1
Level 1
In response to ciscocsoc

‎11-02-2010 11:51 AM

Cathy

Thanks for the reply, thats what i was thinking. we use wild card certificates for several of the other domains, how we need to provide  certificates for www.website.com and ww2.website.com due to cost.

Is it possible to replace the L4 policy map, with a straight L7 so that we are load balancing directly on URL as apposed to verifying L4 matches first?  Or would this not be advisable / possible.  I always thought it was the L4 policy that made the VIP proxy?

Can SAN certs not be used in this example?

Thanks

0 Helpful

ciscocsoc
Level 4
Level 4
In response to xiaolonguk

‎11-03-2010 01:22 AM

You need to do the decryption before you can implement layer7.

Your options seem to be wildcards, SAN, re-negotiate the requirements or use another load-balancer.

Kind Regards

Cathy

0 Helpful

xiaolonguk
Level 1
Level 1

‎11-03-2010 04:25 AM

Thanks Cathy,

Ill try to do this with SAN Certs, you have been a huge help

Thanks once more

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents