Forum Discussion

PK_Bhatia's avatar
PK_Bhatia
Icon for Nimbostratus rankNimbostratus
Jun 30, 2014

SAN name is not working

I am trying to use a new cert which has alternate name as abc.com and www.abc.com. I am also using SNI with name xyz.com which is default SNI for the SSL profile. I can see both the entries (abc.com and www.abc.com), but when I try to use www.abc.com which should point to cert with abc.com, instead it uses xyz.com cert. When I tried entering server name in SSL profile as www.abc.com, it get reversed, so it starts using abc.com cert for www.abc.com and xyz cert for abc.com. Any suggestion is greatly appraciated.

 

application delivery
management
performance
security
TMOS
TMSH

2 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jun 30, 2014

    That's not exactly how the LTM SNI functionality should work. With SNI enabled, LTM will select the client SSL profile with the SNI server name that matches the client's request. You could then create several client SSL profiles, embed each with a unique single-subject cert/key, and then apply all of these client SSL profiles to the LTM VIP.

     

    Given that you have a SAN cert, you shouldn't need to do SNI. Remove the SNI settings from the client SSL profile.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jun 30, 2014

    The default, if nothing matches, in a SAN certificate, should be whatever the subject name is (versus the subject alt names).

    Let's say you have a SAN cert with a subject of xyz.com and two subjectAltNames of abc.com and www.abc.com.

    You've applied this single SAN cert to a single client SSL profile and applied that to your VIP.

    A user reaches your site with **xyz.com** and everything is good.
A user reaches your site with **abc.com** and everything is good.
A user reaches your site with **www.abc.com** and everything is good.

A user reaches your site with **foo.example.com and** and the match fails.

    This is to be expected. In an SNI configuration, the "default" option indicates that a given client SSL profile should be chosen if none of the server name strings match the client's request. If that default client SSL profile and corresponding certificate still doesn't match the client's request, then you'll have a mismatch condition.