SSL VPN
Reply
Contributor
hazeen
Posts: 67
Registered: ‎03-24-2008
0
Accepted Solution

Multiple certificates on SA

Hi,

I have 2 urls for accessing my SA.

office.company.com

remote.company.com

There are 2 public certificates for these urls and both the urls are mapped to the same public ip in dns.

I have already installed one of the certificates for the interface and it is working. Can i install the second certificate on the same interface?

Visitor
moreilly
Posts: 8
Registered: ‎05-28-2008

Re: Multiple certificates on SA

Hi hazeen,

 

you have to use a Virtual Port for that (and attach the second certificate to that port)

That means you also need an additional ip address which is bound to this virtual port

 

Cheers

Contributor
hazeen
Posts: 67
Registered: ‎03-24-2008
0

Re: Multiple certificates on SA

Hi Moreilly,

Thanks for your answer.

That means that i need to nat another public ip to the virtual port ip address on my firewall, right? :smileysad:

Visitor
moreilly
Posts: 8
Registered: ‎05-28-2008
0

Re: Multiple certificates on SA

Hi hazeen,

 

if you do NAT, yes you have to use an additional (official) IP

 

The problem is, that the SA (as any device I know) has to make a mapping between the certificate and an IP address, e.g if there is a connection to the IP "A", just use the Certificate "A", if there is a connection to IP "B", just use the Certificate "B".

 

The SA can not use the hostname of the request (https://host_A/...)  as a differentiator as the hostname is  known to the SA only after  the SSL session is established (and the right certificate is already necessary during that setup)

 

Cheers

 

Visitor
moreilly
Posts: 8
Registered: ‎05-28-2008
0

Re: Multiple certificates on SA

one further note:

 you can use a wildcard certificate, e.g. for *.company.com, in this case one certificate for  

 

office.company.com

remote.company.com

 

would be sufficient (means, that the domain name has to be the same)

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.