Does TIM support multiple SSL certificates in a single domain?

Document ID : KB000045874
Last Modified Date : 14/02/2018
Show Technical Document Details

Introduction: 

I have an environment where different web services URL path in a single domain or host uses different SSL cert. For example:

Domain:
www.mydomain.com

URL path 1 uses certA:
www.mydomain.com/app1

URL path 2 uses certB:
www.mydomain.com/app2

Question: 

Will CEM/TIM be able to support such configuration?

 

Environment:  

Applicable to all APM Releases

 

Answer: 

Basically, TIM is not aware of domain name or the path under the domain until the traffic is decoded. It is only interested in the Web Server IP address + Port combination that it sees in the network packet.When TIM receives traffic from a Web Server IP, it uses the private key uploaded for that IP + Port combination to decode the traffic. The uploaded key is stored with its corresponding IP (or IP range) + Port in the file name, for eg: 19x.1xx.0.8x-19x.1xx.0.9x~443.xml-enc. TIM only support 1 certificate per IP + Port combination, any subsequent certificate uploaded for the same IP + Port combination will overwrite the previous one.

If each application within a single domain is hosted on a separate Web Server, or hosted on the same Web Server on different port numbers, then TIM should be able to support it. You will need to add one entry for each IP + Port + Cert combination to the CEM > Setup > HTTPS Settings.

Having said that, this will only work IF the TIM is sitting between the loadbalancer and the web servers, where it communicates directly with the web servers. If TIM is sitting before the loadbalancer, then it can only recognize 1 key/cert for the loadbalancer's IP address, and any sub subsequent certs uploaded for the same IP address will overwrite the previous key.

 

Additional Information:

For more information, see About Multiple Keys for HTTPS Servers