We have a customer with multiple orgs and multiple environments in each org. We want to use different certificates for each environment in each org. And each environment in each org has a different DNS alias.
For example:
org001 has 3 environments. These are the environments with its DNS aliases
private - private-sapi.xxx.com
public - public.infra.t-dev.xxx.net
staging - staging-api.xxx.com
orgXYZ has 3 environments. These are the environments with its DNS alias
slot1 - slot1.orgXYZ.t-dev.xxx.net, massl.orgXYZ.t-dev.xxx.net (2 DNS aliases for this host)
slot2 - slot2.orgXYZ.t-dev.xxx.net
slot3 - slot3.orgXYZ.t-dev.xxx.net
So on and so forth, there are many more orgs and envs, the above are just examples.
The question is can we use different certificates for each environment?
If I have a HTTPS Virtual host for each environment and reference a keystore in that Virtual Host that has a certificate (a different certificate for each environment), will the appropriate certificate be returned when a call is made to an API proxy deployed in each environment?
So if a request is made to private-sapi.xxx.com, the certificate in the keystore referenced by the HTTPS Virtual Host of that environment needs to be presented.
If a request is made to slot1.orgXYZ.t-dev.xxx.net, the certificate in the keystore referenced by the HTTPS Virtual Host of that environment needs to be presented.
If a request is made to slot3.orgXYZ.t-dev.xxx.net, the certificate in the keystore referenced by the HTTPS Virtual Host of that environment needs be presented.
And so on and so forth.
Assuming that we have only 1 Virtual Host for each environment that references a keystore that contains the appropriate certificate for that environment, will the appropriate certificate for each environment be presented?
And will this work for non-SNI clients?
The concern is if the same Apigee router IP address(es) are shared between environments or organizations, then at the TLS level how will the Apigee router work out which certificate to present for non-SNI clients?
Notifying @naveen, @Madhan Sadasivam, @jagjyot, @Lee, @rajeev@apigee.com
If I have a HTTPS Virtual host for each environment and reference a keystore in that Virtual Host that has a certificate (a different certificate for each environment), will the appropriate certificate be returned when a call is made to an API proxy deployed in each environment?
Answer : Yes, as we would add appropriate keystore in VH for each environment.
So if a request is made to private-sapi.xxx.com, the certificate in the keystore referenced by the HTTPS Virtual Host of that environment needs to be presented.
Answer : As explained in earlier question, it would present the certificate of the specific environment.
What happens when a non-SNI client connects?
Since hostname is provided as part of the TLS/SNI handshake, it would be unavailable to NGINX.
In which case, NGINX must choose a default VHOST.
It's unclear what the mechanism for configuring this default VHOST.
In NGINX the "default_server" directive can be specified in the listen directive.
This server will respond whenever SNI is not supported by the client.
listen 443 default_server ssl;
What is the best practice ?
Also ,considering we have so many Orgs(30) and many environments(each Org having 10 env) do we really need to have certs for each environment (considering its a non-prod system which would not be accessible to outside world).
Does it make sense to have one self signed certs per Org (to easy the Load of cert management) ?
@naveen For non-prod, it's 1 cert per org (wild-card cert that will be used for all environments), for prod, its one cert per env. This has been decided by the customer
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 |