If we are using a CNAME record to redirect DNS request to the listener on the GTM / DNS module, does the server certficate have to include both the original FQDN and the FQDN referenced by the CNAME?
I do not believe so, but I have need asked to quadrule check this.
Often Internet sites use CNAME DNS records to redirect trafifc to content delivery netowrks like Akaimi, and I doubt the end site will need to include the Akaimi FQDN or wildcard domain in the end server certificate. The web browser will still show the orignl FQDN in the URL bar and not the CNAME FQDN name.
To be honest this is not an F5 related question but a general question about how DNS Cname and SSL cert CN/SAN/SNI work together but I think you should just check the Internet as there is enough data for such general questions.
To be honest this is not an F5 related question but a general question about how DNS Cname and SSL cert CN/SAN/SNI work together but I think you should just check the Internet as there is enough data for such general questions.
CNAME is at the DNS level. If the CNAME FQDN is in the cert, you are fine. Your browser/connection will use the request FQDN and not the CNAME branching.
We don't add the underlying names of our VIPs, just the application fqdn in our SSL certs. We have never had an issue.
