Netscaler Knowledgebase

Summary

This document describes how to use a wildcard SSL certificate to host multiple SSL sites on one SSL virtual IP (VIP).

Requirements

This procedure is useful in a scenario where multiple SSL sites must be hosted on a single SSL VIP. You must have access to a certificate authority (CA) that issues a wildcard certificate, unless you are using self-signed certificates in a testing environment.

Background

SSL certificates carry a field known as the Common Name (CN). When creating a certificate request the SSL site administrator specifies the CN in the request. The CN should match the Fully Qualified Domain Name (FQDN) used to access the SSL site. If the CN on the issued certificate does not match the FQDN of the SSL site, clients see a security warning in their browser when attempting to access the site (some clients may also reject the connection during the SSL handshake due to the possible security risk).

For example, if the SSL site administrator for https://secure.onlinebank.com generates a certificate request for a server certificate for the site, the administrator must specify a CN of secure.onlinebank.com in the certificate request.

It is normally not possible on the NetScaler to host multiple SSL sites on a single SSL VIP. This limitation exists because it is possible to bind only one SSL certificate to an SSL VIP, and the CN on the certificate can match only one FQDN. Thus, if a single SSL VIP is intended to host the following sites:

https://secure1.onlinebank.com
https://secure2.onlinebank.com
https://secure3.onlinebank.com

The CN on the certificate can only match one of these FQDNs. Clients will receive a security warning when attempting to browse to either of the other sites.

It is possible to work around this limitation by using a wildcard certificate that uses the * character to mask part of the FQDN.

Procedure

   1. Create a certificate request (using the NetScaler’s create ssl certreq command or otherwise).
   2. When specifying the CN for the certificate request, use the * character in place of the part of the FQDN to be masked.
      For example, if a single SSL VIP is intended to host the following sites:

      https://secure1.onlinebank.com
      https://secure2.onlinebank.com
      https://secure3.onlinebank.com

      The certificate request could use the following syntax:

      CN = secure*.onlinebank.com

      If a single SSL VIP is intended to host the following sites:

      https://secure1.onlinebank.com
      https://ssl.onlinebank.com
      https://internal.onlinebank.com

      The certificate request could use the following syntax:

      CN = *.onlinebank.com