Forum Discussion
Problem applying 2 EC certs to a VS - NET::ERR_CERT_COMMON_NAME_INVALID
- Apr 06, 2022
About common name field, it was suggestion. According to link below in 14.1.4 version it isn't necessary. F5 matches SNI with SAN list.
Unfortunately, I don't have any more ideas how to solve it. Looks like a bug and reason to open a support case.
https://support.f5.com/csp/article/K13452
"For Server Name, enter the name of the HTTPS site.
Note: Beginning in BIG-IP 11.6.0, if you leave Server Name blank, the BIG-IP system reads the Subject Alternative Name (SAN) from the certificate. For versions prior to BIG-IP 11.6.0, if you leave Server Name blank, the BIG-IP system reads the Common Name (CN) from the certificate. Additionally, the Server Name setting supports wildcard strings containing the asterisk (*) character. For example, *.domain.com matches a.domain.com or a.bc.domain.com, but it does not match domain.com)."
Sajjadm, hello.
Can you share SSL Profiles and vs text configuration?
Thanks for responding. Some sensitive info retracted/altered. Here is the gist of it:
ltm virtual srv404s_services_http_443 {
destination 123.x.y.z:https
ip-protocol tcp
mask 255.255.255.255
persist {
source_addr {
default yes
}
}
pool srv404s_services_any_http_80_pool
profiles {
http_IT-Compliant { }
srv404s_services_Board-IT-Compliant {
context clientside
}
srv404s_services_Board-IT-Compliant-ExtraSANs {
context clientside
}
tcp { }
}
rules {
SNAT-201to201
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
vlans {
...
}
vlans-enabled
}
ltm profile client-ssl srv404s_services_Board-IT-Compliant {
app-service none
cert none
cert-key-chain {
ECDSA-services.com_ESDC-Intermediate_0 {
cert ECDSA-services.com.crt
chain ESDC-Intermediate
key ECDSA-services.com.key
}
}
chain none
cipher-group IT-Compliant
ciphers none
defaults-from equite.com
inherit-ca-certkeychain true
inherit-certkeychain false
key none
passphrase none
sni-default true
}
ltm profile client-ssl srv404s_services_Board-IT-Compliant-ExtraSANs {
app-service none
cert-key-chain {
ECDSA-services.com_Extra_SANs_canlearn_ECDSA-Intermediate_0 {
cert ECDSA-services.com_Extra_SANs_canlearn
chain ECDSA-Intermediate.crt
key ECDSA-services.com_Extra_SANs_canlearn
}
}
cipher-group IT-Compliant
ciphers none
defaults-from clientssl
inherit-ca-certkeychain true
inherit-certkeychain false
}
Thanks,
SajjadM
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com