Re: The correct use of certificates

csbowser · ‎11-08-2004

I need some guidance please. My company as an exchange server, a time-card server and a web server. Each site has a thawte certificate specifying the full fqdn and directory path.

We've chosen to now implement a CSS11501 (with ssl) and terminate the SSL at the CSS, make a routing decision based on URL, and pass the traffic on in the clear to the specific server. In the future, we will consider backend-ssl.

Here is my question. What is the correct, and ethical way to employ the certificates. Do I take the existing certificates that were generated for each site, and import them into the CSS? In this manner, the CSS answers the certificate check. Will the servers/applications work correctly if the traffic arrives in the clear?

If I do backend-ssl, does the placement of certificates change?

For either scenario, would it be better to get a cert specifically for the CSS?

Thanks for your help.

lynchp · ‎11-08-2004

Hi,

You can export the certificates and private keys together of the webservers (in PKCS12 format), and then import them onto the CSS. This is ok as you are using the certificate to decrypt the same traffic just on a different device.

When using backend SSL the certificates on the CSS do not matter we act just as a client for the backend session. You of course will need a certificate on the webserver in this case. Please check with your cert provider on the teams and conditions of the certificates you have purchased.

Hope this helps

Phil

csbowser · ‎11-11-2004

Thanks Phil. Just to make sure I'm still going down the right path...if I have three webservers, three different certs, and one public IP - is this possible? Basically, the CSS takes incoming traffic to port 443, then decrypts it to make a routing decision based on the header - but how does it know which keypair to use? I create the ssl proxy list, then index the ssl servers. For each index, I put in a cert/key pair, right? I there magic that happens that lets the css know which indexed cert/keypair to terminate the ssl?

csbowser · ‎11-11-2004

Ok, the more I dig, the more I find. So basically, if I only have one IP, and one port (external customers behind fw's that only use well-known ports(well-known to them!)) I will need a more generic cert. I can't list multiple servers in the proxy list with the same port, so the rsacert/key that matches the inbound port/content rule - must be usable by all the servers, right?

Or is there another way to have all URLs

https://www.acme.com/timesheet

https://www.acme.com/mail

https://www.acme.com/pinkslips

all come in on port 443 and still have three unique certs?

Gilles Dufour · ‎11-15-2004

to be able to see the url, the traffic needs to be decrtypted. To decrypt the traffic, you need a certificate and key.

So, there is no way to associate a url to a certificate.

Only an ip/port can be associated to a certificate.

So, as you mentioned, you need a generic certificates that will cover all your url.

Regards,

Gilles.

csbowser · ‎11-15-2004

Thanks Gilles. One last thing, in the same environment as discussed before, if I need to do backend encryption, is it possible to use 'individual' certificates, or would the 'generic' one have to be used?

Gilles Dufour · ‎11-15-2004

the backend ssl connection does not require a certificate [only if your servers do client authentication]

Here is a sample config for backend ssl.

http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_example09186a0080220dab.shtml

If you need client authentication on the server, you can specify a different certificate than for the normal SSL feature.

Regards,

Gilles.