Jump to content
Welcome to our new Citrix community!

How to use the SSL certificate bound to a specific LBVS and not the SSL cert bound to the CSVS that forwards to it?


Matt Porter

Recommended Posts

I apologize if the question is unclear as I am still fairly new to the platform.

 

We are in the process of transitioning from a wildcard SSL certificate to individual non-wildcard SSL certificates for security reasons. Our web servers are behind a content switch with SSL enabled that serves the wildcard certificate. It seems like this problem could be addressed by binding additional certificates to the CS with SNI enabled, but we have 90+ forwarding policies active currently, and managing that many certificates bound to one server seems like poor design.

 

Is there any configuration possible where we can still forward to the LBVSs from the content switch, but rather than using a certificate bound on the CS, we use whatever certificate is bound to the LBVS that traffic gets forwarded to? 

 

Link to comment
Share on other sites

I don't believe so.

When a lb vserver is frontended by a cs vserver, the cs vserver is the point of connection to the client. It is the entity the client connects to, that establishes the SSL handshake, and then the traffic is sent internally to the lb destination:  client --> cs vserver (VIP:Port) --> lb vserver (possibly vip:port; or non-addressable)

 

The client never really handshakes with the lb vserver UNLESS you do a responder policy to redirect to the lb vserver's VIP.    But if you hit CS vserver first, the handshake is still with cs first and then a new connection to new lb vserver.   But usually, we're doing content switchind to non-addressable vservers so you don't need extra VIPs.

 

Bottom line, if traffic goes to the CS vserver, the CS vserver has to meet the SSL requirements (whether you content switch to lb OR you redirect to lb) you still have to connect to the cs vserver first.

 

Since you are mapping multiple FQDNs to the same VIP, you are stuck with the cert names on the CS vserver. If you don't want to wild card certs, then a multi-san cert would simplify your cert bindings for multiple names; but you still have to deal with all the different identities you have.

 

 

 

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...