Jump to content
Welcome to our new Citrix community!

SNI and SSL configuration

RIchard Isbell

Recommended Posts

Question in bold at bottom.


Software version - NS12.0: Build 53.13.nc 
Client is web browser on Win10 (Chrome, FF, IE, Edge)

Internal DNS is as follows:

  •  testwebserver00   (webserver host 1)
  •  testwebserver01   (webserver host 2)
  •  loadbalancer00  (VIP/load balancer)
  •  websites
    • testwebsite01 (IIS site hosted on testwebserver00 and testwebserver01)
    • testwebsite02 (IIS site hosted on testwebserver00 and testwebserver01)
    • testwebsite03 (IIS site hosted on testwebserver00 and testwebserver01)


Client requests internal website, e.g.  https://testwebsite{XX}

DNS lookup directs request to, which is the load balancer IP
Load balancer directs request to either testwebserver00 and testwebserver01


Problem:  Current configuration of the SSL certificate on testwebserver00 and testwebserver01 - testwebserver00, testwebserver01, testwebsite01, testwebsite02, testwebsite03.  This means that if the SSL gets compromised on one site, they are all compromised.  I have a problem with this from a security standpoint.  I expect each site to resolve with it's individual certificate and not one that has every SAN name in it.

Can someone tell me what is the recommended configuration and point me towards some documentation? 


Thank you!

Link to comment
Share on other sites

If the concern is that the client always receives the same cert when connected to LB (regardless of the back-end server) - correct me if this is not the case


You can bind the the certs for each domain on NS LB Vserver with the SNI Enabled option. From 11,055.x onward SNI with SAN cert is supported, the lookup method described below i.e. CN first and then SAN is hard-coded logic and does not need any extra configuration.



Support for SNI with a SAN Extension Certificate

The NetScaler appliance now supports SNI with a SAN extension certificate. During handshake initiation, the host name provided by the client is first compared to the common name and then to the subject alternative name. If the name matches, the corresponding certificate is presented to the client.

[# 250573] 


PS: if nothing matches the default cert on LB is presented to client.


Link to comment
Share on other sites



Thank you for the reply.


Right now, I have a situation where someone has configured over 50 websites on testwebserver00 and testwebserver02.  And they have created one SSL certificate with all 50 websites as a SAN.  So, a client going to https://testwebsite01 and https://testwebsite02 (and so on until https://testwebsite50) receives the same SSL certificate that has all 50 SANs in it.  I can’t believe that this the correct way to set this up. 


It was my understanding that SNI should be able to connect to each specific website in IIS and present the correct SSL certificate for each site, even if all 50 sites are being hosted on the same IP address.  So, a request to https://testwebsite01 should return the SSL certificate for testwebsite01 (only), and a request to https://testwebsite05 should return the SSL certificate for testwebsite05 (only), etc, etc, etc…


My goal is to get rid of the SAN certificate and use 50 individual certificates.  A wildcard certificate is not an option due to security concerns and cost is not a factor.


Again, thank you for your time and expertise.

Link to comment
Share on other sites

You should be able to migrate that cert and private key and intermediate to the Netscaler and use it for your VIPs. I am not sure I am seeing that you are doing any offroading at all.


Of course, you might want to set up a test VIP and some DNS entries connecting to the same servers first or something similar.


If the certificate contains all 50 sites then that presented certificate pretty sure will list all 50 sites.


Or am I misunderstanding what you are asking?

Link to comment
Share on other sites

  • 1 year later...

I am running into the same issue. Contacted the support to figure it out. 


The Support for dynamic SNI on the back end has been added in the Citrix ver 13.0.36

From the release note


Support for dynamic SNI on the back end

The Citrix ADC appliance now supports dynamic Server Name Indication (SNI) on the back end. You don’t need to specify a common name in the back-end SSL service, service group, or profile. The common name in the Client Hello message is forwarded to the back-end SSL server.

Important: Ensure the following conditions are met for dynamic SNI to be effective on the back end:

- Enable SNI on the front end.

- Bind the correct SNI certificate to the SSL virtual server.

For more information, see https://docs.citrix.com/en-us/citrix-adc/13/ssl/config-ssloffloading.html#support-for-sni-on-the-back-end-service.

[# NSSSL-6371]

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...