Forum Discussion

John_Klemm_4418's avatar
John_Klemm_4418
Icon for Nimbostratus rankNimbostratus
Oct 22, 2006

Irule

Is there an irule that will pull up different SSL certs. For instance, if I do not have a wildcard cert can I create a rule and apply it to my VIP so that if traffic is coming in destined for a certain URL then the irule will bring up the correct cert?

 

 

I am a newbie and I appreciate everyones help. I do not want to bug you guys too much.
application delivery
dev
devops
iRules

3 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Oct 22, 2006
    In order to select which cert to present you would need to have access to the HTTP host header in the client request. In order to inspect the HTTP content in a request, you'd need to have already have presented the SSL certificate.

     

     

    In short, you either need to have a separate IP:port available for each unique SSL FQDN or you need a wildcard cert that matches the domain or subdomains of all FQDN's you want the VIP to answer for.

     

     

    So if you have a few sites with the following FQDN's:

     

     

    a.b.c.mydomain.com

     

    x.y.z.mydomain.com

     

     

    You would need a wildcard cert for *.mydomain.com. If a part of the subdomain's matched, you could get a more specific wildcard cert. For example, *.c.mydomain.com would work for these two FQDN's:

     

     

    a.b.c.mydomain.com

     

    x.y.c.mydomain.com

     

     

    Hope this helps,

     

    Aaron
  • John_Klemm_4418's avatar
    John_Klemm_4418
    Icon for Nimbostratus rankNimbostratus
    Oct 22, 2006
    I figured this was the answer. The problem is upper management, their understand is less than mine on these Big-IP machines. I appreciate everyone who has given me guidance here over the past few days and hopefully I have worn my welcome out.