This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multiple SSL Certificates on same port?

Hi,

is it possible to use multiple certificates on one port?
We tested multiple hosts without ssl, deploying the virtual Servers
foo.mydomain.com
and
bar.mydomain.com
with two different virtual servers to each one real web server (foo.mydom.intern and bar.mydom.intern).

Now we wanted to switch to ssl, so we created a separate for each URL.

With the first server everything is fine, the Domain name is read from the certificate. But as soon as I switch the second virtual server to SSL, I get the error message:
"Cannot use SSL certificate 'bar.domain.com' for the virtual web server 'Bar' on TCP port a.b.c.d:443 because the virtual web server 'OWA' listening on the same TCP port uses a different certificate 'foo.domain.com'."

So my question: Shouldn't it be possible to use two different certificates on the same TCP Port, and present the client the certificate depending on the URL requested?
When I chose a different Port (444) for the second virtual Server everithing is OK, but that's not quite my intention...

Thank You!

This thread was automatically locked due to age.

Parents

0 BarryG over 13 years ago

Hi,
It's possible, there is a (mostly supported) standard for this.
Please post as a feature request at Astaro Gateway Feature Requests

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 mhock over 13 years ago in reply to BarryG

I found a workaround by myself:
A wildcard certificate (*.domain.com) works. when you assign a certificate with *.domain.com in its DN, it is possible to enter a list of domain names just as it is in Non-SSL-VirtualServers. That way, you can point different names to one RealServer.
Furthermore, you can use this certificate in more than one VirtualServer on the same Socket and by that point to different backend servers.
What I could not yet test is using Alternate Names: As wildcard certificates can be very expensive, it might be better to use Alternate Names. So my questions concerning this is:
- What are the differences in this guide https://support.astaro.com/support/index.php/User_Contributed:How_to_Create_a_Certificate_for_Web_Application_Security when I want to include alternate names in the certificate?

- And most important: How will WAF behave with these Alternate Names?

Anyone ever tried it?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 mhock over 13 years ago in reply to BarryG

I found a workaround by myself:
A wildcard certificate (*.domain.com) works. when you assign a certificate with *.domain.com in its DN, it is possible to enter a list of domain names just as it is in Non-SSL-VirtualServers. That way, you can point different names to one RealServer.
Furthermore, you can use this certificate in more than one VirtualServer on the same Socket and by that point to different backend servers.
What I could not yet test is using Alternate Names: As wildcard certificates can be very expensive, it might be better to use Alternate Names. So my questions concerning this is:
- What are the differences in this guide https://support.astaro.com/support/index.php/User_Contributed:How_to_Create_a_Certificate_for_Web_Application_Security when I want to include alternate names in the certificate?

- And most important: How will WAF behave with these Alternate Names?

Anyone ever tried it?
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data