Topic: CSW - SSL VServers (Read 2090 times)

AdamMaxwell · « **on:** May 26, 2009, 05:42:43 AM »

Hi,

I've created a CSW vserver for SSL, my question is I can only bind one certificate to that, so if I am using it for multiple websites each with their own SSL cert how can I configure this?

Thanks

Adam

ZManGT · « **Reply #1 on:** May 26, 2009, 08:08:35 AM »

Adam,

The only way to configure it for the way you want is to use a SAN cert or wildcard cert. A SAN cert allows you to attach multiple FQDN's to a single SSL cert.

Without buying a wildcard or SAN cert you cannot do what you want, as the Netscaler is limited to 1 cert per SSL vServer.

AdamMaxwell · « **Reply #2 on:** May 26, 2009, 08:25:57 AM »

Ah that would explain it.. Is there any other way to SSL offload multiple websites without assigning a VIP to each one? We are using GSLB as well.

If you need anymore information about my configuration please let me know.

Adam

ZManGT · « **Reply #3 on:** May 26, 2009, 09:54:03 AM »

Unfortunately without the use of either the SAN or wildcerts you will need a VIP for each website.

AdamMaxwell · « **Reply #4 on:** May 26, 2009, 10:46:02 AM »

What if I create a CSW that uses the ANY service and I specify port 443 (can't remember if I can do that with CSW). The CSW doesn't need the SSL bound to it as it will be offloaded by the SSL vserver behind it?

ZManGT · « **Reply #5 on:** May 26, 2009, 11:43:29 AM »

You can't do that with a content switching server as it can only perform content switching on HTTP/s, TCP, and FTP traffic. Also the very first step is to decrypt the 443 traffic so it knows what to do with it. This process starts before any other policy on the Netscaler is handled.

I posted an article in the tips forum about traffic flow. If you look at it you will see the SSL decryption is first, and then everything else takes place. Really no option except SAN certs. If it was different I would have a much simpler setup.

AdamMaxwell · « **Reply #6 on:** May 27, 2009, 08:05:23 AM »

Oh well it was worth a try.. I will have to go back to using seperate IP addresses for each website then.

jmelika · « **Reply #7 on:** May 27, 2009, 09:48:46 PM »

Adam,

How many SSL sites will you be hosting? You could potentially save some $ by bundling, say every 4 sites, and purchase 1 SAN for each group. It'll end up costing you much less. DigiCert has them inexpensively. Verisign's I believe is a 20 FQDN bundle.
http://www.digicert.com/unified-communications-ssl-tls.htm

Good luck!
JM

Marco Schirrmeister · « **Reply #8 on:** June 02, 2009, 06:19:11 AM »

I read 2 things in the post.
1. multiple domain names in one cert
2. only 1 ip address for the whole setup.

I also read "....without the use of either the SAN or wildcerts you will need a VIP for each website...."

But, even with a SAN or wildcard cert you need multiple IPs. That is not a NetScaler limitation, that just because how ssl works.
You need always a dedicated IP for a cert.

There is a "hack" solution. I did it in the past, but I don't like it.

I had a csw vserver on port 80 with many policies. In the policies I configured the domain names that I want to host on that IP.
The target for a policy was a dummy vserver. On the dummy vserver I had then a redirect to https and a special port.

So for example I had URLs like this,
https://www.domain1.com:1443
https://www.domain2.com:2443

If you have no problem with this stupid ports in the URL then it will work with 1 ip address.
The initial request has also always to come in on http, otherwise the user has to specify the port.

Marco

ZManGT · « **Reply #9 on:** June 02, 2009, 07:30:50 AM »

Quote from: mschirrmeister on June 02, 2009, 06:19:11 AM

That is not a NetScaler limitation, that just because how ssl works.
You need always a dedicated IP for a cert.

That is actually not true. A SSL cert is only bound do the FQDN. It is not bound by IP at all. A simple test for this is to create another website and apply an existing cert to it, change your hosts file to resolve the DNS name to the new IP and you will not get a cert error.

In fact we use SAN certs and have a site with 8 FQDN's operating off of a single IP. That is the purpose of SAN certs.

Marco Schirrmeister · « **Reply #10 on:** June 02, 2009, 08:12:45 AM »

You are absolutely right. The cert is tied to the FQDN. And multiple sites behind a SAN or wildcard cert work with one IP.

I used the wrong words in my sentence.
The limitation that I was referring to was that you can only bind one certificate to an ip address. So you need multiple IPs if you have multiple certificates.
And yes, it doesn't matter how many fqdn's you have in the cert.

Netscaler Knowledgebase

News:

Author Topic: CSW - SSL VServers (Read 2090 times)

AdamMaxwell

CSW - SSL VServers

ZManGT

Re: CSW - SSL VServers

AdamMaxwell

Re: CSW - SSL VServers

ZManGT

Re: CSW - SSL VServers

AdamMaxwell

Re: CSW - SSL VServers

ZManGT

Re: CSW - SSL VServers

AdamMaxwell

Re: CSW - SSL VServers

jmelika

Re: CSW - SSL VServers

Marco Schirrmeister

Re: CSW - SSL VServers

ZManGT

Re: CSW - SSL VServers

Marco Schirrmeister

Re: CSW - SSL VServers