CTX110670
NetScaler
NetScaler_all
Security
2016-04-15
2014-04-01
This article describes how to use a wildcard Secure Socket Layer (SSL) certificate to host multiple SSL Web sites on a single SSL Virtual IP address ...

Objective

This article describes how to use a wildcard Secure Socket Layer (SSL) certificate to host multiple SSL Web sites on a single SSL Virtual IP address of the NetScaler appliance.

Requirements

This article is useful in a scenario where multiple SSL Web sites must be hosted on a single SSL virtual IP address. You must have access to a Certificate Authority (CA) that issues a wildcard certificate, unless you are using self-signed certificates in a testing environment.

Background

The SSL certificates have the Common Name (CN) field. When creating a certificate request, the SSL site administrator specifies the CN in the request. The CN must match the Fully Qualified Domain Name (FQDN) used to access the SSL Web site. If the CN on the certificate does not match the FQDN of the SSL Web site, the Web browser of the client displays a security warning when attempting to access the site. Some clients might even reject the connection during the SSL handshake due to a possible security risk.

For example, if administrator for the https://secure.example.com Web site creates a certificate request for a server certificate for the Web site, the administrator must specify a CN for the secure.example.com Web site in the certificate request.

It is not possible to host multiple SSL Web sites on a single SSL virtual IP address of a NetScaler appliance. This limitation exists because you can bind only one SSL certificate to an SSL virtual IP address. The CN on the certificate can only match one FQDN. Therefore, the Web browser of the client displays a security warning if you host the following Web sites and client accesses any of these because the CN on the certificate can only match the FQDN of only one of these Web sites:
  • https://secure1.example.com

  • https://secure2.example.com

  • https://secure3.example.com


Instructions

As a workaround to the limitation of the CN on the certificate only matching one FQDN, you can use a wildcard certificate. A wildcard certificate uses the * character to mask a part of the FQDN.

To host multiple SSL Web sites on a single SSL virtual IP address of a NetScaler appliance by using a wildcard certificate, complete the following procedure from the GUI of the appliance:

  1. On the Configuration utility, click the SSL node.

  2. On the SSL page, click the Create Certificate Request link from the SSL Certificates group.

  3. Enter the appropriate values in the various fields of the Create Certificate Request dialog box.

  4. Ensure that you specify *, the wildcard character with the value in the Command Name field. For example, the following screenshot displays the usage of the wildcard character in the Common Name field:

    User-added image

    The wildcard in the preceding screenshot can match the following SSL Web sites:
    • https://secure1.example.com

    • https://secure2.example.com

    • https://secure3.example.com

    Similarly, you can use the *.example.com CN if you intend to host the following or more Web sites:
    • https://secure1.example.com

    • https://ssl.example.com

    • https://internal.example.com

  5. Click Create.

  6. Send the certificate request to an authorized CA.

  7. After receiving the certificate, install the same on the NetScaler appliance.

  8. Open the required Virtual Server (VServer).

  9. Activate the SSL Settings tab.

  10. Bind the wildcard certificate you have received from the CA.

To create a request for a wildcard certificate from the command line interface of the appliance, run the following command:

create ssl certreq example.req –keyfile example.key

When prompted for the Common Name, specify the wildcard character as appropriate, as shown in the following screenshot:

User-added image


Applicable Products


 

Join the conversation

Citrix Discussions

Open a case

Citrix Support

特别说明


本文来源为Citrix.com所有,翻译后版权归翻译者所有.如需转载请注明出处.

文档版本


.

广告招租


最新留言


.

广告招租


.