Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
643
Views
0
Helpful
3
Replies

SSL offload on ACE

12pratham
Level 1
Level 1

‎01-22-2012 11:23 AM

deploying an application using GSS and ACE.each site will have 2 ACEs in Active Standby mode ,and GSS  at each site to do the global loadbalancing .

Wondering ,on all ACEs  do I need to have same certs and keys .

As I will create CSR parameters and Key and get the certs from CA ,and install on the primary keys and imports the same certs on the secondary.Will it be applicable to all other remaining 3 ACEs.

or on each primary ACEs in need to create CSR parameters and generate a key ,and imports the certs onto the failover.

Experts help me in understanding on this

Labels:
0 Helpful
3 Replies 3

Borys Berlog
Cisco Employee
Cisco Employee

‎01-23-2012 12:17 AM

Hi

You need to have a correct certificate for each domain name or wilecard certificate. E.g. you have web sites: my.domain.net, yours.domain.net , test.nice.com. So on all ACEs you need to have correct certificates for each domain (or if wilecard - one for domain *.domain.net, and one for *.nice.com). These certificates can be the same or can be different, the only things wich matters is for what domain they are issued.

You can have the same keys and certificates on all your ACEs and actually, from manageability and scalability point of view, it seems to be the best approach.

0 Helpful

12pratham
Level 1
Level 1
In response to Borys Berlog

‎01-23-2012 08:29 PM

Hi Borys Berlog ,thanks for your response .

But wondering ,I will have 2 pair of ACEs at each site ,in active standby mode .They will be hosting seperate domain names ,but the backend apps will be same at both the locations.

In such scenario ,Do I need to generate key and CSR on ACE inorder to get the certs ,or they do the server team provide me the certs and the key .

How will this work ,Please help me on this

0 Helpful

Borys Berlog
Cisco Employee
Cisco Employee
In response to 12pratham

‎01-24-2012 02:45 AM

Hi

The purpose of certificate is to ensure that site you're connecting to is really site you expect it to be. Thus certificate is connected to DNS name of the site. Browser checks if domain name in certificate corresponds to name you use to access this site. If no - browser will show you a Security alert. You can ignore it and continue and it will work.

So, to have everything working nice you need to have a different certificate for each domain name or have a wilecard certificate.

E.g. you have 3 VIPs on ACE : 1.1.1.1 , 2.2.2.2, 3.3.3.3 and DNS condifured like :

nice.domain.net = 1.1.1.1

bad.domain.net = 2.2.2.2

test.test.com = 3.3.3.3

so in this case you need either have 3 certificates for each domain name or one certificate for test.test.com and one wilecard for *.domain.net. They can be provided by server team, depends on scope of responsibilities you have in your organization.

However you can configure ACE with any certificate , it will work, just client will see Security alert in his browser that certificate doesn't correspond to site.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card