Forum Discussion
NimbostratusOne IP, multiple virtual hosts, multiple domains, multiple wildcard certs
I have one server with multiple domains, and all those domains point to the virtual IP in our bigip.
The problem is that now I need to configure SSL wildcard certs for these domains. Is that even possible with the F5 ?
It is something like this:
qa1.domain1.com qa2.domain1.com qa3.domain1.com should all use *.domain1.com
qa1.domain2.com qa2.domain2.com qa3.domain2.com should all use *.domain2.com
etc....
Is it possible ?
10 Replies
- Kevin_Stewart
Employee
It is absolutely possible, and you have at least three options:
-
Wildcard cert - you'll likely find that this is the most expensive option.
-
SAN or Subject Alt Name cert - like a wildcard but contains a set of names in the subjectAltName section of the x.509. It's generally cheaper than wildcard certs, and you can technically put wildcard subject alt names in a SAN cert. you'll usually find though that a public CA won't allow this.
-
SNI or Server Name Indicator - a TLS extension that allows you to have individual server name certs and the BIG-IP will switch the SSL profile based on what the client is asking for. It requires TLS, so not an option for older clients.
-
Jose_H_134227hm... seems like my problem is this: BIG-IP 9.4.8 Build 355.0 Final
Is there a way to do it in that version ?
- Kevin_Stewart
The only thing you can't do from that list is SNI.
- Jose_H_134227
How can I assign multiple wildcard certificates to a single VIP ?
- Kevin_Stewart
Assigning multiple SSL profiles (and associated certificates) to a VIP is a function of SNI, which you can't do in 9.4.8. You can:
-
Assign a single wildcard certificate to the client SSL profile that encompasses everything, or
-
Assign a single SAN certificate that contains all of the server names you'll need.
Given that your example uses two different top-level domains, you'll be hard-pressed to use a wildcard certificate. Perhaps a single SAN certificate is a better option. The only other significant alternative is separate VIPs with separate (wildcard) certificates.
-
- Jose_H_134227
To be more descriptive, I have a virtual IP(virtual server) that goes to the F5 for all those sites I previously mentioned. There I have only one wildcard cert, so now I have to add a number of wildcard certs to that same virtual IP. That is exactly what I haven't been able to do.
- Kevin_Stewart
There I have only one wildcard cert, so now I have to add a number of wildcard certs to that same virtual IP. That is exactly what I haven't been able to do.
Understood. And because you're on 9.4.8, your options are limited to either:
-
a single "bigger" wildcard cert that encompasses everything, or
-
a single SAN certificate that encompasses everything, or
-
separate virtual servers with separate wildcard certs, or
-
upgrade to v11 and use SNI
In my opinion, option 2 is probably the best.
-
StephanMantheyNacreous
As Kevin wrote, it´s not possible to assign multiple certs (via multiple clientssl profiles) to a virtual server on v9. You can alternatively use a single SAN certificate (containing all you wildcard certificates). But only a single clientssl profile can be assigned to a VS under v9.
- Jose_H_134227
I ended up creating a virtual server per wildcard cert with a different IP and all these having the same member which is the physical server with the sites.
Thanks for all the help !
Gerlan_32355Altostratus
Yes! It's possible! Look this documentation, because exist some diferences to each version:
https://support.f5.com/kb/en-us/solutions/public/13000/700/sol13770.html
and
https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13452.html
