How to configure BIG-IP to accept client certs from multiple CAs to the same VS

You can't specify multiple server certificates this way. So just that we're clear, this thread is about accepting client certificates from multiple CAs. That's accomplished by adding all of the CA public certificates to a text file and applying that to the Trusted Certificate Authorities drop down of the client SSL profile. You can optionally use this "bundle" in the Advertised Certificate Authorities drop down, or tailor it so that only specific certificate choices are shown in the client browser.

 

 

To allow a virtual server to present multiple server certificates, as I assume you're attempting, you have a few choices:

 

1. Wildcard or SAN certificates - certificates that allow for multiple FQDNs (usually very expensive)

 

2. TLS SNI, or "Server Name Indicator" - an extension to the TLS profile that allows the BIG-IP to "switch" between server certificates based on the hostname the browser is asking for. In version 10 this can be accomplished with an iRule:

 

 

https://devcentral.f5.com/tutorials/tech-tips/multiple-certs-one-vip-tls-server-name-indication-via-irules

 

 

In version 11 it's incorporated into the SSL profile.