Using different certificates for different environ...

Report Inappropriate Content · 08-08-2016 06:48 PM

We have a customer with multiple orgs and multiple environments in each org. We want to use different certificates for each environment in each org. And each environment in each org has a different DNS alias.

For example:

org001 has 3 environments. These are the environments with its DNS aliases

private - private-sapi.xxx.com

public - public.infra.t-dev.xxx.net

staging - staging-api.xxx.com

orgXYZ has 3 environments. These are the environments with its DNS alias

slot1 - slot1.orgXYZ.t-dev.xxx.net, massl.orgXYZ.t-dev.xxx.net (2 DNS aliases for this host)

slot2 - slot2.orgXYZ.t-dev.xxx.net

slot3 - slot3.orgXYZ.t-dev.xxx.net

So on and so forth, there are many more orgs and envs, the above are just examples.

The question is can we use different certificates for each environment?

If I have a HTTPS Virtual host for each environment and reference a keystore in that Virtual Host that has a certificate (a different certificate for each environment), will the appropriate certificate be returned when a call is made to an API proxy deployed in each environment?

So if a request is made to private-sapi.xxx.com, the certificate in the keystore referenced by the HTTPS Virtual Host of that environment needs to be presented.

If a request is made to slot1.orgXYZ.t-dev.xxx.net, the certificate in the keystore referenced by the HTTPS Virtual Host of that environment needs to be presented.

If a request is made to slot3.orgXYZ.t-dev.xxx.net, the certificate in the keystore referenced by the HTTPS Virtual Host of that environment needs be presented.

And so on and so forth.

Assuming that we have only 1 Virtual Host for each environment that references a keystore that contains the appropriate certificate for that environment, will the appropriate certificate for each environment be presented?

And will this work for non-SNI clients?

The concern is if the same Apigee router IP address(es) are shared between environments or organizations, then at the TLS level how will the Apigee router work out which certificate to present for non-SNI clients?

Notifying @naveen, @Madhan Sadasivam, @jagjyot, @Lee, @rajeev@apigee.com

jhans

Hi @Sathish Balasubramaniyan

If I have a HTTPS Virtual host for each environment and reference a keystore in that Virtual Host that has a certificate (a different certificate for each environment), will the appropriate certificate be returned when a call is made to an API proxy deployed in each environment?

Answer : Yes, as we would add appropriate keystore in VH for each environment.

So if a request is made to private-sapi.xxx.com, the certificate in the keystore referenced by the HTTPS Virtual Host of that environment needs to be presented.

Answer : As explained in earlier question, it would present the certificate of the specific environment.

Report Inappropriate Content

What happens when a non-SNI client connects?

Since hostname is provided as part of the TLS/SNI handshake, it would be unavailable to NGINX.

In which case, NGINX must choose a default VHOST.

It's unclear what the mechanism for configuring this default VHOST.

Report Inappropriate Content

In NGINX the "default_server" directive can be specified in the listen directive.

This server will respond whenever SNI is not supported by the client.

listen 443 default_server ssl;

Report Inappropriate Content

What is the best practice ?

Also ,considering we have so many Orgs(30) and many environments(each Org having 10 env) do we really need to have certs for each environment (considering its a non-prod system which would not be accessible to outside world).

Does it make sense to have one self signed certs per Org (to easy the Load of cert management) ?

Report Inappropriate Content

@naveen For non-prod, it's 1 cert per org (wild-card cert that will be used for all environments), for prod, its one cert per env. This has been decided by the customer

Using different certificates for different environments in different orgs in Edge