For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

murali_125469's avatar
murali_125469
Icon for Nimbostratus rankNimbostratus
Nov 12, 2013

Multiple certificates to a single Virtual Server?

Hello everyone ,   We are planning to migrate from x1.domain1.com , x2.domain1.com to x1.domain2.com , x2.domain2.com respectivly. All the redirecion part was tried and tested in UAT environment ,...
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Nov 12, 2013

For applying multiple certificate to a single VIP, you have a few choices:

 

  1. A single SAN certificate - a cert with multiple server name values in the subject alt name field.

     

  2. An SNI (server name indicator) config - if your clients all support TLS, the client will send the intended server name in its CLIENTHELLO message during the SSL handshake. You can create multiple client SSL profiles, assign a separate server name string to each, and then assign all of these profiles to the same VIP. The SNI capability will allow the VIP to choose which client all profile to use based on the client's request.

     

can we apply single SAN certificate to multiple VIPs?

 

I haven't tested this, but I don't see why not. The client will resolve a server name to an IP and then contact a VIP. If that VIP presents a certificate that the client can trust, then all is good. I don't imagine that a single server name inside that SAN cert would be used across multiple VIPs, but the individual server names could be used anywhere.