SSL certificate

Question

Hi, I have 2 SSL cetificates. Each of them have a different name but they are used for the same IP address. I've create a pool which include 2 nodes with 2 different IP addresses. For the virtual server, I need help : there's CNAMEs associated with the same IP address. I wanna be able to choose which certificate to load when one of the CNAME is choosen. Is it possible? An iRule?

deb_allen_18 · Answer

I don't think that would be possible even with an iRule, since the Host: header is encrypted until after the handshake, and the  hostname must be known to choose the proper certificate for the  handshake.&nbsp;
&nbsp;/deb

hannes_rapp · Answer

Look into TLS SNI&nbsp;
Background: https://devcentral.f5.com/articles/ssl-profiles-part-7-server-name-indicationConfiguration: https://support.f5.com/kb/en-us/solutions/public/13000/400/sol13452.html
Not all Web Browsers support TLS SNI. Enforcing TLS SNI today will cut off the automatic web-site trust for about 0.3% of end-users that have legacy Web Browsers. These clients will receive an untrusted site warning, and must confirm a security exception to proceed to visit the site.&nbsp;
Do not blindly take this number as a fact, this is what I've personally observed in my customer environment. If you are in Health Care business where the majority of customers are elderly people with outdated Windows XP desktops, you may want to avoid implementing this technology :)&nbsp;

Forum Discussion

SSL certificate

2 Replies

Recent Discussions

Failed to convert character dclid=%EDclid!

ASM - Parent policy vs OWASPcompliance

Rewrite uri translation not working

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

APM OCSP Responder Issues

Related Content

Implementing SSL Orchestrator - Certificate Considerations

SSL Certificate Report

Re: Management Certificate

SSL Certificate Alerts via Email

My Security+ Certification Journey