Forum Discussion
Multiple SSL Certs, One IP address
My company is a SaaS company that sells a Web Application/Serve to other companies which they turn and offer up to the public on there website. So here is what I hope to be a clear example. My product is accessible via https://tech.example.com, my customer takes that url and puts it on there website, http://www.acme.com. When a potential client is browsing http://www.acme.com and they are interested in purchasing a product the user would click on a link and get redirected to https://buynow.example.com. To the user browsing the site the redirection may not even be noticed because the look and feel of the site is the same however if they look in the URL they can clearly see that they are no longer at http://www.acme.com. My customer dont really like that and want to redirection to my services to look like its coming from https://buynow.acme.com. I have been able to provide this option however these types of customers require me to use up and IP address due to the limitation of only having one SSL certificate per IP address. So my thought was i could get a SSL offloading application to tie the multiple SSL certs to one public IP address, then on the backend the SSL appliance will send it to the appropriate website. there are a few other posts here regarding this same issue and many have referenced "server name extension for tls to allow support for multiple certs on a siinple ip address and port". I'm not sure if F5 supports this yet but is it even worth me talking to a sales engineer or someone at F5 for possible option?
4 Replies
- David_Remington
Employee
Currently on BIG-IP you can support more than one hostname on an HTTPS virtual server in two ways:1) Obtain a cert with one or more Subject Alternate Names. This is supported in all current and most recent browsers and allows a single cert to be used for several disparate hostnames.
2) Use a wildcard certificate, such as *.example.com which would serve for any hostname within example.com (ie: foo.example.com and bar.example.com but IE does NOT support two levels such as foo.bar.example.com so it is best to avoid that).
We do not currently support the Server Name Indication extension for TLS.
That being said, it is still not a fully-solving issue as for www.acme.com to provide seamless transition to your site they would have to give YOU their private key which is in general a bad idea.
You can mask this problem in a couple of ways:
1) Have them incorporate your site within an invisible frame. That way the URL bar in the browser stays the same.
2) Use a wildcard certificate and brand the hostname (acme.example.com).
I would definitely reach out to your local SE and discuss this.
- JRahm
Admin
TLS SNI is not natively supported, but can be configured with an iRule (of course!) The issue right now is not all clients out in the wild support it, so while it would work for for some, it's not a complete solution. - bicho6_66188
Nimbostratus
Thank you for the response. Unfortunately we already use the wildcard solution, but unfortunately it doesn't provide the same functionality I'm looking for since you would still see the example.com domain. - Joel_Moses
Nimbostratus
Here's an iRule to implement TLS SNI -- make sure you read the notes closely as it's not supported on all browsers.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com