Multiple Certificates?

sworling_ · ‎05-20-2008

Can the SA 4000 support multiple certificates on the same internal/external port? It dosen't let me and is greyed out.

Skywalker_ · ‎05-20-2008

http://kb.pulsesecure.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108012c3c1900420a

IVE does not support multiple web server certificates. In order to be able to connect to the IVE using *.company.com, a wildcard certificate should be used instead.

rg1_ · ‎05-20-2008

This is a big limitation. We plan on deploying multiple sites with the SA 4500 and plan on hosting sites with different domain names.

Vishal_ · ‎05-20-2008

I think you can use Virtual port to take care of multiple certs. I know you can done that using different virtual ip's to different certs. Not sure if it is possible for single ip.

ben_ · ‎05-20-2008

This not a real limitation its just a matter of design. The same if you would do this with an ordinairy apache webserver. Only one certificate may be bound to a pair of IP and Port. This means to have your server listen to either more than only one IP (-> Virtual Ports in the IVE) or to have one IP and change the port.

But last thing is not a big help, eg. when accessing sites via a proxy, this might not always let you connect outside resspources on any port you wish.

Another thing for sure is those "ugly" wildcard certs, but those are most times more expensive. But maybe this more expensive depends on how much it costs for you to get more than one IP (or in case of a cluster 2+1+n).

There is a thing about SAN-Certs (Subject alternate Name) which are based on the fact that a cert may contain alternate names istead of only one. But I do not know if the IVE has the possiblity to generate CSRs for this (but it does not look like, at least there is no field for this.

rg1_ · ‎06-24-2008

When I said it was a limitation, I was referring to the multiple certs on the same internal/external port. Even if you can overcome this with a wildcard, it is still somewhat limiting, and the comment about not being able to generate CSRs is interesting. If it is the case, I would imagine this could be overcome by generating the csr from another server and then exporting the certificate after its applied to that server and then reapplying on the IVE.

I have a JTAC employee looking into this.

Talion_ · ‎06-24-2008

One thing on this thread -

The KB in reference is outdated information. When that was posted, 3.3 and 4.0 IVE OS's were new. However, even then, you can still have multiple certs if you have an advanced license.

With the 6.1 and 6.2 IVE OS's, you have an advanced license included in the baseline licence that comes with the system. This will enable you to load multiple certificates, but each one needs to be added on it's own virtual port on the IVE. you can add several virtual ports on a single certificate, if you had a wildcard certificate for example.

We do encourage you to review the sections in general about this in the IVE Admin guide - in the IVE OS 6.2, you can find information on Virtual ports, starting on page 638

Multiple Certificates?

Multiple Certificates?

Re: Multiple Certificates?

Re: Multiple Certificates?

Re: Multiple Certificates?

Re: Multiple Certificates?

Re: Multiple Certificates?

Re: Multiple Certificates?