Forum Discussion
NimbostratusIrule to redirect 80 to 443 self signed cert issue
Hello,
I have an irule that is working fine,I am using a self signed cert for it, when the user types in "testserver.domain.com" the irule sends them to https://testserver.domain.com. IE warns that the there is a problem with the sebsites's security cert, once I install the cert the redirect works with no issue. The problem is when a user enters just " testserver" ie complains each time that "The security certificate presented by this website was issued for a different website's address."
if I click to continue I can hit the desired site. How can I get by the above warning message when only the " testserver" is entered?
Thanks
BIll
9 Replies
- Kevin_Stewart
Employee
In short, you either need TWO certificates (testserver and testserver.domain.com), a wildcard certificate (*.domain.com), or a SAN certificate (with the two subject alternative names in the certificate).
v11 supports the TLS Server Name Indication (SNI) extension. Create a separate client SSL profile for each certificate and specify its subject name in the "Server Name" block in the profile. Then apply both client SSL profiles to the VIP. If using a wildcard or SAN certificate, you can use that certificate in a single client SSL profile attached to the VIP. 
Bill_FarrellHi Kevin,
We are not on v11 yet so I created the wildcard cert , *.domain.com, I applied it the the VIP but still the same issue when I enter testserver, the fqd works fine.
Thanks
Bill
- Kevin_StewartCrud, I should have caught that... Let me rephrase then ;)
Your ONLY option, below v11, is a SAN certificate. The wildcard *.domain.com doesn't work because testserv doesn't match that wildcard name. - Bill_Farrell
I don't see the option for a san cert in the gui, can you direct me to how it is created?
Thanks
Bill
- Kevin_StewartA SAN cert is simply a server certificate with multiple Subject Alternative Name values:
DNS Name = testserver.domain.com
DNS Name = testserver
How are you creating your certificates? - Bill_Farrell
I use the GUI and under ssl certs use the create option. I am trying to use a self signed cert for this.
Bill
Christopher_BooCirrostratus
It's just like creating a normal cert. I personally like to name them something that reminds me it is a SAN cert or it can get real confusing. Also, beware that some apps can't validate against a SAN. If your site is accessed via browser only, you are probably fine.
Chris- Kevin_StewartWell, you can create SAN certificates in the v11 GUI and TMSH, but since you're not on v11 yet, your best bet is probably OpenSSL or some other CA product.
- nitassjust in case you have not yet seen this.
sol11438: Creating SSL SAN certificates and CSRs using OpenSSL
http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11438.html
