SSL_MULTICERT.CONFIG(5) | Apache Traffic Server | SSL_MULTICERT.CONFIG(5) |
ssl_multicert.config - Traffic Server SSL certificate configuration file
The ssl_multicert.config file lets you configure Traffic Server to use multiple SSL server certificates to terminate the SSL sessions. If you have a Traffic Server system with more than one IP address assigned to it, then you can assign a different SSL certificate to be served when a client requests a particular IP address or host name.
At configuration time, certificates are parsed to extract the certificate subject and all the DNS subject alternative names. A certificate will be presented for connections requesting any of the hostnames found in the certificate. Wildcard names are supported, but only of the form *.domain.com, ie. where * is the leftmost domain component.
Changes to ssl_multicert.config can be applied to a running Traffic Server using traffic_ctl config reload.
Each ssl_multicert.config line consists of a sequence of key=value fields that specify how Traffic Server should use a particular SSL certificate.
When running with OpenSSL 1.0.2 or later, this directive can be used to configure the intermediate CA chain on a per-certificate basis. Multiple chain files are separated by comma character. For example, it is possible able to configure a ECDSA certificate chain and a RSA certificate chain and serve them simultaneously, allowing OpenSSL to determine which certificate would be used when the TLS session cipher suites are negotiated. Note that the leaf certs in FILENAME1 and FILENAME2 must have the same subjects and alternate names. The first certificate is used to to match the client's SNI request.
You can also configure multiple leaf certificates in a same chain with OpenSSL 1.0.1.
This is the only field that is required to be present.
Traffic Server attempts two certificate selections during SSL connection setup. An initial selection is made when a TCP connection is accepted. This selection examines the IP address and port that the client is connecting to and chooses the best certificate from the those that have a dest_ip specification. If no matching certificates are found, a default certificate is chosen. The final certificate selection is made during the SSL handshake. At this point, the client may use Server Name Indication to request a specific hostname. Traffic Server will use this request to select a certificate with a matching subject or subject alternative name. Failing that, a wildcard certificate match is attempted. If no match can be made, the initial certificate selection remains in force.
In all cases, Traffic Server attempts to select the most specific match. An address specification that contains a port number will take precedence over a specification that does not contain a port number. A specific certificate subject will take precedence over a wildcard certificate. In the case of multiple matching certificates the first match will be returned to non-SNI capable clients.
The following example configures Traffic Server to use the SSL certificate server.pem for all requests to the IP address 111.11.11.1 and the SSL certificate server1.pem for all requests to the IP address 11.1.1.1. Connections from all other IP addresses are terminated with the default.pem certificate. Since the private key is included in the certificate files, no private key name is specified.
dest_ip=111.11.11.1 ssl_cert_name=server.pem dest_ip=11.1.1.1 ssl_cert_name=server1.pem dest_ip=* ssl_cert_name=default.pem
The following example configures Traffic Server to use the ECDSA certificate chain ecdsa.pem or RSA certificate chain rsa.pem for all requests.
dest_ip=* ssl_cert_name=ecdsa.pem,rsa.pem
The following example configures Traffic Server to use the ECDSA certificate chain ecdsa.pem or RSA certificate chain rsa.pem for all requests, the public key and private key are in separate PEM files. Note that the number of files in ssl_key_name must match the files in ssl_cert_name, and they should be presented in the same order.
dest_ip=* ssl_cert_name=ecdsa_pub.pem,rsa_pub.pem ssl_key_name=ecdsa_private.pem,rsa_private.pem
The following example configures Traffic Server to use the SSL certificate server.pem and the private key serverKey.pem for all requests to port 8443 on IP address 111.11.11.1. The general.pem certificate is used for server name matches.
dest_ip=111.11.11.1:8443 ssl_cert_name=server.pem ssl_key_name=serverKey.pem ssl_cert_name=general.pem
The following example configures Traffic Server to use the SSL certificate server.pem for all requests to the IP address 111.11.11.1. Session tickets are enabled with a persistent ticket key.
dest_ip=111.11.11.1 ssl_cert_name=server.pem ssl_ticket_enabled=1 ticket_key_name=ticket.key
The following example configures Traffic Server to use the SSL certificate server.pem and disable session tickets for all requests to the IP address 111.11.11.1.
dest_ip=111.11.11.1 ssl_cert_name=server.pem ssl_ticket_enabled=0
The following examples configure Traffic Server to use the SSL certificate server.pem which includes an encrypted private key. The external program /usr/bin/mypass will be called on startup with one parameter (foo) in the first example, and with two parameters (foo) and (ba r) in the second example, the program (mypass) will return the pass phrase to decrypt the keys.
ssl_cert_name=server1.pem ssl_key_dialog="exec:/usr/bin/mypass foo" ssl_cert_name=server2.pem ssl_key_dialog="exec:/usr/bin/mypass foo 'ba r'"
2023, dev@trafficserver.apache.org
November 2, 2023 | 8.1 |