Kemp LoadMaster: Publish Web Sites with Dual Certificates

Every customer has different requirements to publish a web site, but what happen when the request is use this different certificates for the same web site? One of my main suggest, when I talk with customers, is use always a reverse proxy to publish an application server; this rule is valid also in case there’s only one server.

 

Kemp LoadMaster is the solution of Application Delivery Control that allows to publish services to the world, balanced or not. In this article I will show how to publish a web site with two certificates; the requirement is not “classic” because there’s a public certificate for the external and a private certificate for internal traffic.

 

Certificate
To avoid problems, both certificates shouldn’t be wildcard. In my case I used a wildcard for the public side, and it works, but this is a lab so I can take more risks.

 

Web Server
Into your web server, import the internal certificate with the machine name and check that is present on IIS, as showed in figure 1. Obviously you can do the same on Apache.

 

2016_03_27_Kemp_01
Figure 1 – Certificate in IIS

 

Add the certificate into HTTPS binding of your web site, as showed in figure 2.

 

2016_03_27_Kemp_02
Figure 2 – HTTPS Binding

 

Kemp LoadMaster
Import both certificates into Kemp and create the new Virtual Services with all classic parameters. To manage two different certificates is necessary enable the reencrypt between Kemp and Real Server, as showed in figure 3. In same cases could be necessary set the Reencryption SNI Hostname.

 

2016_03_27_Kemp_03
Figure 3 – Certificate in Kemp

 

Now it’s time to test the solution! This is another demonstration of Kemp’s flexibility.

 

Remember that you can try the virtual machine of Kemp LoadMaster for 30 days: http://kemptechnologies.com/

 

S