Product Documentation

Configuring an SSL Virtual Server for Secure Hosting of Multiple Sites

Sep 01, 2016

Virtual hosting is used by Web servers to host more than one domain name with the same IP address. The NetScaler supports hosting of multiple secure domains by offloading SSL processing from the Web servers using transparent SSL services or virtual server-based SSL offloading. However, when multiple Web sites are hosted on the same virtual server, the SSL handshake is completed before the expected host name is sent to the virtual server. As a result, the NetScaler cannot determine which certificate to present to the client after a connection is established. This problem is resolved by enabling Server Name Indication (SNI) on the virtual server. SNI is a Transport Layer Security (TLS) extension used by the client to provide the host name during handshake initiation. The NetScaler appliance compares this host name to the common name and, if it does not match, compares it to the subject alternative name (SAN). If the name matches, the appliance presents the corresponding certificate to the client.

A wildcard SSL Certificate helps enable SSL encryption on multiple subdomains if the domains are controlled by the same organization and share the same second-level domain name. For example, a wildcard certificate issued to a sports network using the common name "*.sports.net" can be used to secure domains, such as "login.sports.net" and "help.sports.net" but not "login.ftp.sports.net."

Note: On a NetScaler appliance, only domain name, URL, and email ID DNS entries in the SAN field are compared. 

You can bind multiple server certificates to a single SSL virtual server or transparent service using the -SNICert option. These certificates are issued by the virtual server or service if SNI is enabled on the virtual server or service. You can enable SNI at any time.

To bind multiple server certificates to a single SSL virtual server by using the command line interface

At the command prompt, type the following commands to configure SNI and verify the configuration:

  • set ssl vserver <vServerName>@ [-SNIEnable ( ENABLED | DISABLED )]
  • bind ssl vserver <vServerName>@ -certkeyName <string> -SNICert
  • show ssl vserver <vServerName>

    To bind multiple server certificates to a transparent service by using the NetScaler command line, replace vserver with service and vservername with servicename in the above commands.

    Note: The SSL service should be created with -clearTextPort 80 option.

Example

 
set ssl vserver v1 -snI ENABLED 
bind ssl vserver v1 -certkeyName serverabc -SNICert 
sh ssl vserver v1 
Advanced SSL configuration for VServer v1: 
… 
SSL Redirect: DISABLED 
Non FIPS Ciphers: DISABLED 
SNI: ENABLED 
SSLv2: DISABLED SSLv3: ENABLED TLSv1: ENABLED 
1)CertKey Name: servercert Server Certificate 
1)CertKey Name: abccert Server Certificate for SNI 
2)CertKey Name: xyzcert Server Certificate for SNI 
3)CertKey Name: startcert Server Certificate for SNI 
1)Cipher Name: DEFAULT 
Description: Predefined Cipher Alias 
Done 

To bind multiple server certificates to a single SSL virtual server or transparent SSL service by using the configuration utility

  1. Navigate to Traffic Management > Load Balancing > Virtual Servers.
  2. Open an SSL virtual server and, in Certificates, click Server Certificate.
  3. Add a new certificate or select a certificate from the list, and select Server Certificate for SNI.
  4. In Advanced Settings, click SSL Parameters.
  5. Select SNI Enable.