Forum Discussion
LearniRule_1074
Nimbostratus
NimbostratusUse iRule to "attach" certficate
I am using a single VIP/VS to redirect all incoming traffic to different destinations/servers. Can I use iRule to send the traffice AND pick the appropiate certificate/ssl profile to be used for that ...
LearniRule_1074Nimbostratus
NimbostratusThanks for all of your help! Basically - this cannot be done. I saw a reply from Kevin but somehow I don't see it here so I will copy this below as it is a very good explanation -
LearniRule,
The problem is best described as the cart before the horse. You need to see the Host header of the incoming HTTP request to get the website name and match it to a certificate's common name (CN) to select the right certificate. However to actually see this Host header, you have to decrypt the incoming SSL traffic. So by that time you have already negotiated SSL with the client and its too late. The only way to have multiple hosts on the one VIP is to assign a certificate with additional subject alternate names, expensive as they charge for each additional SAN, or pass through the SSL to the webserver and it will choose the right SSL certificate based on the website you are trying to access.
Kevin (Jarvil)
