Forum Discussion
NimbostratusMultiple virtual servers with same IP and port but different certificates
Ok stupid question time. Is there a way to create multiple virtual servers with the same IP and port but with different certificates? I can't think of a way and we have one site that has 3 different https names. Unfortunately a SAN won't work and I need to be able to have the url be https://www.onedomain.com, https://www.seconddomain.com and https://www.thirddomain.com.
3 Replies
- Kevin_Stewart
Employee
Basically, no. There can only be one VIP with a specific IP/port combination (not counting TCP vs. UDP). Your only real options are:
-
SAN or wildcard certificate in the client SSL profile, or SNI if all clients can support TLS, and
-
An iRule that switches pools based on the host name in the request.
-
ryan_rockwell_1ok, stupid question part two. Can you have multiple SSL profiles (client side) with different certificates and the virtual server will recognize which cert to use?
- Kevin_Stewart
Yes, with SNI (Server Name Indicator). This is an extension to the TLS protocol where the client includes a server name attribute in its CLIENTHELLO message, the first message in an SSL/TLS handshake. As of v11, the BIG-IP supports SNI where you can add multiple client SSL profiles to the VIP. Basically, create each client SSL profile, assign each a cert and key, and specify the server name value that matches the subject name value of the assigned cert. You can optionally make one of those profiles the "default" if the client doesn't support TLS. The downside of this, as I've alluded, is that the clients must support TLS, which precludes Windows XP/IE6 and earlier.
