Forum Discussion

bicho6_66188's avatar
bicho6_66188
Icon for Nimbostratus rankNimbostratus
Dec 16, 2010

Multiple SSL Certs, One IP address

I'm currrently not an f5 customer, but i'm trying to figure out whether F5's SSL offloading solution will solve a problem of mine.

 

 

My company is a SaaS company that sells a Web Application/Serve to other companies which they turn and offer up to the public on there website. So here is what I hope to be a clear example. My product is accessible via https://tech.example.com, my customer takes that url and puts it on there website, http://www.acme.com. When a potential client is browsing http://www.acme.com and they are interested in purchasing a product the user would click on a link and get redirected to https://buynow.example.com. To the user browsing the site the redirection may not even be noticed because the look and feel of the site is the same however if they look in the URL they can clearly see that they are no longer at http://www.acme.com. My customer dont really like that and want to redirection to my services to look like its coming from https://buynow.acme.com. I have been able to provide this option however these types of customers require me to use up and IP address due to the limitation of only having one SSL certificate per IP address. So my thought was i could get a SSL offloading application to tie the multiple SSL certs to one public IP address, then on the backend the SSL appliance will send it to the appropriate website. there are a few other posts here regarding this same issue and many have referenced "server name extension for tls to allow support for multiple certs on a siinple ip address and port". I'm not sure if F5 supports this yet but is it even worth me talking to a sales engineer or someone at F5 for possible option?

 

  • Currently on BIG-IP you can support more than one hostname on an HTTPS virtual server in two ways:

    1) Obtain a cert with one or more Subject Alternate Names. This is supported in all current and most recent browsers and allows a single cert to be used for several disparate hostnames.

     

    2) Use a wildcard certificate, such as *.example.com which would serve for any hostname within example.com (ie: foo.example.com and bar.example.com but IE does NOT support two levels such as foo.bar.example.com so it is best to avoid that).

     

     

     

    We do not currently support the Server Name Indication extension for TLS.

     

     

     

    That being said, it is still not a fully-solving issue as for www.acme.com to provide seamless transition to your site they would have to give YOU their private key which is in general a bad idea.

     

     

     

    You can mask this problem in a couple of ways:

     

    1) Have them incorporate your site within an invisible frame. That way the URL bar in the browser stays the same.

     

    2) Use a wildcard certificate and brand the hostname (acme.example.com).

     

     

     

    I would definitely reach out to your local SE and discuss this.

     

     

     

     

     

  • TLS SNI is not natively supported, but can be configured with an iRule (of course!) The issue right now is not all clients out in the wild support it, so while it would work for for some, it's not a complete solution.
  • Thank you for the response. Unfortunately we already use the wildcard solution, but unfortunately it doesn't provide the same functionality I'm looking for since you would still see the example.com domain.

     

     

    I'm going to talk to my web-developers regarding iframe