Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

pcourtois's avatar
pcourtois
Icon for Cirrus rankCirrus
Sep 04, 2025

F5 Big-IP Trust Internal CA Chain certificates for Web Servers

Great day F5 Friends, Currently, we use a wildcard certificate on all of our web servers which requires us to replace it when the certificate is expired. The Big-IP isn't configured to "only" trust ...
server-profile
Injeyan_Kostas's avatar
Injeyan_Kostas
Icon for MVP rankMVP
Sep 04, 2025

You mean you applied 2 server SSL profiles?

Can you use only the new one? If no you need to let VS know which one to use in each request.

pcourtois's avatar
pcourtois
Icon for Cirrus rankCirrus
Sep 05, 2025

Happy Friday.  Thanks for the suggestion.  I have to keep the default serverssl profile on the VS as we have multiple applications running on the same VS.  The new serverssl profile I've created is specifically for our internal web server pools.  

 

How do I tell the VS which profile to use, iRule or in the ssl profile?

  • Injeyan_Kostas's avatar
    Injeyan_Kostas
    Icon for MVP rankMVP
    Sep 05, 2025

    Happy Friday to yoo too pcourtois​ 

    irule is you friend in this case
    check this https://my.f5.com/manage/s/article/K13452

    when HTTP_REQUEST {
    set hostname [getfield [HTTP::host] ":" 1]
}
when SERVER_CONNECTED {
    switch -glob [string tolower $hostname] {
      "sitea.com" {
          SSL::profile serverssl-siteA
      }
      "siteb.com" {
          SSL::profile serverssl-siteB
      }
      default {
        #default serversssl profile to be selected if Host header value cannot be matched with predefined values
        SSL::profile serverssl
      }
    }
}

     

    • pcourtois's avatar
      pcourtois
      Icon for Cirrus rankCirrus
      Sep 05, 2025

      Copy that.  You ROCK!  Thank you.  I'll give this a try and update.