SNI for serverssl profile

Hi,

In relation to authentication of backed servers by BIG-IP (via serverssl Server Authentication config). I wonder if below setup is OK and can be used instead of using wildcard certificate on backend server.

Scenario:

• VS accepting request for https.test.com and https1.test.com
• Two serverssl profiles:
  • lamp4-110.test.com_srv - attached to VS with settings:
    • Server Name: lamp4-110.test.com
    • Server Certificate: required
    • Authenticate Name: lamp4-110.test.com
    • Trusted Certificate Authorities: lamp_chain
  • lamp4-110-2.test.com_srv - not attached to VS with settings as previous except:
    • Server Name: lamp4-110-2.test.com
    • Authenticate Name: lamp4-110-2.test.com
• iRule as below

when HTTP_REQUEST {

if { [getfield [getfield [HTTP::host] ":" 1] "." 1] eq "https" } {

    set sni_value "lamp4-110.test.com"

} else {

    set sni_value "lamp4-110-2.test.com"

}

    HTTP::header replace Host $sni_value

}
when SERVER_CONNECTED {

SSL::profile ${sni_value}_srv
}

In SSL::profile description there is note:

Warning: If you choose an SSL profile with a different key/cert/chain/ca-file from the SSL profile configured under the VS, the cert/key/ca-file must be reloaded, which is very time consuming (about half a second), degrading the SSL TPS performance drastically.

I assume that it is not related to above setup as it's serverssl profile and Trusted Certificate Authorities is using exactly the same chain file.

Any better ways to achieve backend server authentication using FQDN based certs (instead of wildcard)?

Piotr