Virtual hosting is
used by Web servers to host more than one domain name with the same IP address.
The NetScaler supports hosting of multiple secure domains by offloading SSL
processing from the Web servers using transparent SSL services or virtual
server-based SSL offloading. However, when multiple Web sites are hosted on the
same virtual server, the SSL handshake is completed before the expected host
name is sent to the virtual server. As a result, the NetScaler cannot determine
which certificate to present to the client after a connection is established.
This problem is resolved by enabling Server Name Indication (SNI) on the
virtual server. SNI is a Transport Layer Security (TLS) extension used by the
client to provide the host name during handshake initiation.
The NetScaler appliance compares this host name
to the common name and, if it does not match, compares it to the subject
alternative name (SAN). If the name matches, the appliance presents the
corresponding certificate to the client.
A wildcard SSL
Certificate helps enable SSL encryption on multiple subdomains if the domains
are controlled by the same organization and share the same second-level domain
name. For example, a wildcard certificate issued to a sports network using the
common name "*.sports.net" can be used to secure domains, such as
"login.sports.net" and "help.sports.net" but not "login.ftp.sports.net."
Note: On a
NetScaler appliance, only domain name, URL, and email ID DNS entries in the SAN
field are compared.
You can bind
multiple server certificates to a single SSL virtual server or transparent
service using the -SNICert option. These certificates are issued by the virtual
server or service if SNI is enabled on the virtual server or service. You can
enable SNI at any time.