Forum Discussion
chris_16019
Nimbostratus
NimbostratusBasic SSL Profile question
Please forgive the noobish question, I've only just returned fromt the basic LTM training.
I have two secure certificates and keys that need applying to an SSL profile, and then to a virtual server. However, I only appear to be able to apply one certificate to a profile, and one profile to a virtual server.
If you have two HTTPS:// websites behind one virtual server how do you apply two certificates to one SSL profile or apply two profiles to one virtual server?
Thanks in advance.
hoolioCirrostratus
Hi,
You can only specify one client SSL profile and one server SSL profile per virtual server in the virtual server configuration. This can be extended using iRules, but for practical purposes you can only present one cert to clients.
Are the two certificates for different fully qualified domain names? If so, can you create two different virtual servers with separate client SSL profiles?
Aaron
chris_16019Hi Aaron, thanks for the response.
One of the sites is abc.pl and one is abc.com.pl
The problem I have is that the two websites are currently being used by clients with a self certificate.
If I create a new virtual server I obviously either need to change the port, which I can't as the requests are being received on 443, or the IP address, and again the sites are already live and requests are translated to the relevant local IP address (virtual server). The only way I see around this is by changing the internet DNS to resolve to a different internet IP address and redirecting this address to a new virtual server.
The one thing I'm failing to undestand as a noob LTM installer is surely it's not an uncommon situation to have multiple HTTPS websites on a web server behind an F5? I'm guessing people in these situations are either allocating lots of internet IP addresses out or are using irules. If so sounds like irules are the way forward.
Thanks- hoolioThe issue isn't with BIG-IP--it's with HTTPS as a protocol. When a client makes an HTTPS request, the HTTP host header value is encrypted. In order to present the correct certificate you must know which Host (abc.pl or abc.com.pl) the client has made the request to. In order to see the host header value, you must decrypt the SSL. To do so, you have to present a certificate to the client. You're right that this comes up frequently--unfortunately, the solution isn't an iRule, it's using separate virtual servers or a single certificate which is valid for multiple FQDN's.
Recently, posters here suggested using an SSL certificate with Subject Alternate Names (SANs) to support multiple FQDN's in the same certificate (and same VIP). We ended up getting one for our network to support domain.com and www.domain.com. Perhaps you can do this as well? Most cert authorities and browsers support SANs now.
Try searching the forums here or on a search engine for ssl certificate and SANs for details. Here's one example where Deb listed a few links: (Click here).
Aaron - chris_16019Excellent - thanks for the detailed responses. I'll look into what you have suggested.
Thanks again.