Forum Discussion
NimbostratusSAN name is not working
I am trying to use a new cert which has alternate name as abc.com and www.abc.com. I am also using SNI with name xyz.com which is default SNI for the SSL profile. I can see both the entries (abc.com and www.abc.com), but when I try to use www.abc.com which should point to cert with abc.com, instead it uses xyz.com cert. When I tried entering server name in SSL profile as www.abc.com, it get reversed, so it starts using abc.com cert for www.abc.com and xyz cert for abc.com. Any suggestion is greatly appraciated.
2 Replies
- Kevin_Stewart
Employee
That's not exactly how the LTM SNI functionality should work. With SNI enabled, LTM will select the client SSL profile with the SNI server name that matches the client's request. You could then create several client SSL profiles, embed each with a unique single-subject cert/key, and then apply all of these client SSL profiles to the LTM VIP.
Given that you have a SAN cert, you shouldn't need to do SNI. Remove the SNI settings from the client SSL profile.
- Kevin_Stewart
The default, if nothing matches, in a SAN certificate, should be whatever the subject name is (versus the subject alt names).
Let's say you have a SAN cert with a subject of xyz.com and two subjectAltNames of abc.com and www.abc.com.
You've applied this single SAN cert to a single client SSL profile and applied that to your VIP.
A user reaches your site with **xyz.com** and everything is good. A user reaches your site with **abc.com** and everything is good. A user reaches your site with **www.abc.com** and everything is good. A user reaches your site with **foo.example.com and** and the match fails.This is to be expected. In an SNI configuration, the "default" option indicates that a given client SSL profile should be chosen if none of the server name strings match the client's request. If that default client SSL profile and corresponding certificate still doesn't match the client's request, then you'll have a mismatch condition.
