The problem, unfortunately, happens before layer 7 (HTTP). The x509 subject of the certificate that the server is presenting to the client (www.xyz.org) does not match what the client is asking for (www.xyz.com), so the browser complains. There are a few options:
-
Subject Alt Name (SAN) certificate - where you take a single certificate and add multiple subjectAltNames to it (one for each server name). You can purchase these from any CA vendor.
-
Server Name Indicator (SNI) - this is a TLS extension that allows you to add multiple client SSL profiles to the (v11) VIP. You'll need two cert/key pairs (www.xyz.com and www.xyz.org), one for each client SSL profile. The extension allows the BIG-IP to switch the client SSL profiles during the SSL negotiation based on the server name value that the client sends in the CLIENTHELLO message. This requires TLS, so older clients (WinXP and below) can't use this.
-
Host two VIPs, each with their own client SSL profiles and server certificates. Add a simple redirect iRule to the .com VIP so that all traffic is re-routed to the .org VIP.
You won't be able to get away from requiring a new SAN certificate or two individual certificates.