SSL certificate

Question

Hi, I have 2 SSL cetificates. Each of them have a different name but they are used for the same IP address. I've create a pool which include 2 nodes with 2 different IP addresses. For the virtual server, I need help : there's CNAMEs associated with the same IP address. I wanna be able to choose which certificate to load when one of the CNAME is choosen. Is it possible? An iRule?

deb_allen_18 · Answer

I don't think that would be possible even with an iRule, since the Host: header is encrypted until after the handshake, and the  hostname must be known to choose the proper certificate for the  handshake.&nbsp;
&nbsp;/deb

hannes_rapp · Answer

Look into TLS SNI&nbsp;
Background: https://devcentral.f5.com/articles/ssl-profiles-part-7-server-name-indicationConfiguration: https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13452.html
Not all Web Browsers support TLS SNI. Enforcing TLS SNI today will cut off the automatic web-site trust for about 0.3% of end-users that have legacy Web Browsers. These clients will receive an untrusted site warning, and must confirm a security exception to proceed to visit the site.&nbsp;
Do not blindly take this number as a fact, this is what I've personally observed in my customer environment. If you are in Health Care business where the majority of customers are elderly people with outdated Windows XP desktops, you may want to avoid implementing this technology :)&nbsp;

Forum Discussion

SSL certificate

Recent Discussions

AS3 Limitations

Diameter iRules attachment?

Help needed with iRule (connection closed log )

Use of SSL Decryption.

VLAN Failsafe Functionality

Related Content

Updating SSL Certificates on BIG-IP using REST API

Implementing SSL Orchestrator - Certificate Considerations

SSL Certificate Report

Thumbprint of the client ssl certificate

Help F5 Transform the BIG-IP Administrator Certification

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS