SSL Certificate weird issue. (Certificate in the browser shows as "Issued by * and Issued to *")
Hello Folks,
I am facing a weird issue with of the customer. Following is the quick background.
- CSR Generated from F5 for SAN Certification (for eg. *.test.com)
- CA provided the Cert.
- Installed the Cert on F5 and mapped with correct key.
- Configured 2 different Client-SSL Profile for 2 different VSs using the same Certificate / key and Chain. (For eg. ClientSSL-1, ClientSSL-2)
Issue: As per the above scenario, ClientSSL-1 is applied on VIP1, and ClientSSL-2 is applied on VIP2. What happens is, when I try to access the VIP2 using FQDN (for eg. the browser throws Certificate error. When I add an exception in browser and open the Certificate, I see that browser reads the "Issue to" and "Issue by" field as "*" (start / wild card). However, when I have tried to access the VIP (instead FQDN) I got a certificate error again (which is expected) but while seeing the Certificate after adding an exception in the web browser, I could see correct Certificate was fetched (i.e. "Issue to: example.gov.de and Issued by: Verisign").
Some validation I have checked after observing above. 1. Pinged to FQDN, verified it is resolving to correct VIP. 2. Cleared and checked VIP statistics, which proved that traffic is hitting the right VS when it shows * certificate. 3. TCPDUMP also shows that when client is accessing the FQDN, it is hitting correct VIP.
The strange part is, same certificate and key is attached to another Client-SSL Profile, which is applied to another VS, which words well.
I have also tried to map that working client-ssl profile to the weird VIP and it didn't change anything.
Any clue?
Thank you, Darshan