Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Need to support thousands of unique SSL certificates on a single VIP

Looking for the best way to host thousands of SSL certificates issued by public providers

Each of these certs will be issued on a unique FQDN with no common DNS zone within the name. Think thousands of unique small businesses wanting hosting of their unique registered domain name. Only two VIPs would front the application - one for http and one for https.

I assume there is a limit on the number of SNI stacked SSL client profiles assigned to a VIP - I could not find any specifics on that limitation. Also, any know performance levels with loaded SNI certs?

Appreciate any and all feedback!

0
Rate this Question
Comments on this Question
Comment made 11-Dec-2017 by PK Bhatia 383
0
Comment made 13-Dec-2017 by dward 54

Appreciate the reply however, An answer of "I think it should be...." could not be consider definitive. Also, the referenced link just shows how to add a SNI profile based scenario and has no reference to any limitations or performance characteristics. When talking thousands of items performance is a major concern.

0

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

As such there is no limit as per RFC. It will depend on CA.

From an implementation standpoint, many certificate authorities limit the number of SAN domains to as low as 25 entries to as high as 100, as per following link:

https://social.technet.microsoft.com/wiki/contents/articles/3306.pki-faq-what-is-the-maximum-number-of-names-that-can-be-included-in-the-san-extension.aspx

0