Use iRule to "attach" certficate

 

I like to understand this (and I hope I do not confuse this discussion - if I do, just let me know and I will get off this discussion) -- why is it necessary to INJECT the Cert. When I create a VS and import the Cert/Key and then create a SSL profile and associates that profile with the VS, the Cert/Key will be used, no?

 

 

My situation is like this: I need to use only 1 vs/vip for all Incoming requests and then use an iRule to send the traffic to different servers AND pick the correct cert/SSL profile (already defined in LTM - see above). Is this possible?

 

 

so client -> ssl [F5] --> ssl direct to a.b.com, then use a.b.com cert/ssl profile

 

client -> ssl [F5] --> ssl direct to x.y.com AND use x.y.com cert/ssl profile

 

 

 

Will clients make requests to both a.b.com and x.y.com? If so, do you have a single cert which is valid for both (using subject alternate names)? If you do, then this is possible.

 

 

If you don't have a single cert and clients are making requests to the HTTPS VS with more than one hostname, you'd get cert mismatch errors. The simplest solution from an LTM perspective for this latter scenario is to use DNS to point the two different hostnames to two separate IP addresses. You can then create one VS per cert and hostname.

 

 

Once TLS server name indication is more widely adopted, you could use that to present the correct certificate to the client. We have a proof of concept iRule from DC MVP, Joel Moses, which supports TLS SNI: http://devcentral.f5.com/wiki/iRules.TLS-ServerNameIndication.ashx However, this requires clients to support TLS SNI also. As far as I'm aware, no browser on WindowsXP supports this so it's a no go for most LTM admins.

 

 

Aaron