Multi-level Domain Support for SSL

Avi Vantage SSL support includes multi-level domain name support. Multi-level domain support allows a pool to be configured with a list of multiple domain names for server certificate verification. During SSL session setup between a back-end server and Avi Service Engine (SE), Avi Vantage checks the server’s certificate for the domain names listed in the pool. If any of the domain names are found in the certificate, the SSL session is allowed. However, if the certificate presented by the back-end server does not contain any of the domain names listed in the pool, the SSL session is not allowed.

Within a pool configuration, the SSL settings for securing connections to the back-end servers include an option to enable host header checking. After enabling this option, the domain name list can be specified. The type of matching used to verify the certificate’s server name depends on how these options are configured.

Host Header Check Domain Name List How Server Name Matching Is Performed
N Not configurable Not checked
Y N Domain name in certificate's Common Name or Subject Alternative Name field must match hostname of request URL. If the domain name list is configured (not empty) but does not match any name in the certificate, the connection is denied.
Y Y Domain name in certificate's Common Name or Subject Alternative Name field must match domain name in pool's domain name list. If the hostname of the requested does not match a hostname in the certificate, the connection is denied.

Configuring Multi-level Domain Support

  1. Navigate to Applications Pools.
  2. Click the edit icon next to the pool name, or click Create Pool if creating a new one.
  3. On the Settings tab, select the SSL to Backend Servers checkbox. Additional SSL configuration fields for the pool appear.
    pool-ssl-sam1
  4. Select the Host Header Check checkbox. The Domain Names field appears.
    • To check strictly based on the request URL hostname, leave the Host Header Check checkbox selected and leave the Domain Names field blank.
      pool-ssl-sam2
    • To instead check based on a list of domain names, enter them in the Domain Names field.
      pool-ssl-sam3
  5. To save the pool, click Next until the Review tab appears, then click Save.

Note: If creating a new pool, a name is required before the pool can be saved.