For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dipta_03_149731's avatar
dipta_03_149731
Icon for Nimbostratus rankNimbostratus
Aug 03, 2015

Can I have multiple certificates for one VIP on LTM?

I need some suggestion here:

 

Could we have multiple SSL certificates for one Virtual server/VIP. I need to create a new setup for Microsoft Lync and instead of putting SAN names in one certificate can we have multiple certificates for one VIP. This is a special kind of request and would need some inputs. I was seeing that TLS SNI feature doe support that but not sure how the whole thing works.

 

https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13452.html

 

2 Replies

  • daboochmeister's avatar
    daboochmeister
    Icon for Cirrus rankCirrus
    Aug 04, 2015

    In general, you create an SSL virtual server, but assign multiple client SSL profiles to the virtual server. This tells the F5 that you want to check for SNI information in client requests. You need to create one client SSL profile per server name that will be used by your accessors, each configured with the appropriate certificate for that server name. You can either configure in explicitly the server hostname that will trigger use of that profile, or allow it to infer that hostname from the certificate you select (in 11.5.0 and earlier, it will use the Common Name field from the certificate you select, in later versions, it will use the first Subject Alternate Name value in the cert). One of these profiles should be declared as the default SNI profile (this profile will be used for any clients that connect that do not support SNI).

     

    In the virtual server configuration, when you add multiple client SSL profiles, it triggers use of SNI, and on each request, the ClientHello packet will be examined for an SNI hostname - and if one is provided by the client, the client SSL profile with a matching hostname will be selected, and the certificate from that SSL profile will be provided to the client. If no SNI hostname is provided by the client, the client SSL profile marked as "default SNI" will be used, and the cert associated with that profile will be sent to the client.

     

    That's a very general description of how it works - if you need more detailed steps on setting it up, pls identify what LTM firmware version you are using, and if possible what parts are not clear to you.

     

  • dipta_03_149731's avatar
    dipta_03_149731
    Icon for Nimbostratus rankNimbostratus
    Aug 04, 2015

    Thanks for the detailed descriptin. The version which I am using is 11.4.1. I did understand that you are saying we can associate multiple profiles to a VIP but I didnt quite understand below steps:

     

    You can either configure in explicitly the server hostname that will trigger use of that profile, or allow it to infer that hostname from the certificate you select (in 11.5.0 and earlier, it will use the Common Name field from the certificate you select, in later versions, it will use the first Subject Alternate Name value in the cert). One of these profiles should be declared as the default SNI profile (this profile will be used for any clients that connect that do not support SNI).

     

    Below are teh URLs which I need to create SSL profiles for: So do I make any one as default.

     

    csws01.xxx.com meet.xxx.com Lyncdiscover.xxx.com Dialin.xxx.com