Forum Discussion

Bill_Farrell's avatar
Bill_Farrell
Icon for Nimbostratus rankNimbostratus
Jun 18, 2013

Irule to redirect 80 to 443 self signed cert issue

Hello,

 

I have an irule that is working fine,I am using a self signed cert for it, when the user types in "testserver.domain.com" the irule sends them to https://testserver.domain.com. IE warns that the there is a problem with the sebsites's security cert, once I install the cert the redirect works with no issue. The problem is when a user enters just " testserver" ie complains each time that "The security certificate presented by this website was issued for a different website's address."

 

if I click to continue I can hit the desired site. How can I get by the above warning message when only the " testserver" is entered?

 

 

Thanks

 

BIll

 

application delivery
dev
devops
iRules

9 Replies

Sort By
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jun 18, 2013
    In short, you either need TWO certificates (testserver and testserver.domain.com), a wildcard certificate (*.domain.com), or a SAN certificate (with the two subject alternative names in the certificate).

     

     

    v11 supports the TLS Server Name Indication (SNI) extension. Create a separate client SSL profile for each certificate and specify its subject name in the "Server Name" block in the profile. Then apply both client SSL profiles to the VIP. If using a wildcard or SAN certificate, you can use that certificate in a single client SSL profile attached to the VIP.
  • Bill_Farrell's avatar
    Bill_Farrell
    Icon for Nimbostratus rankNimbostratus
    Jun 18, 2013

    Hi Kevin,

     

    We are not on v11 yet so I created the wildcard cert , *.domain.com, I applied it the the VIP but still the same issue when I enter testserver, the fqd works fine.

     

     

    Thanks

     

    Bill

     

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jun 18, 2013
    Crud, I should have caught that... Let me rephrase then ;)

     

     

    Your ONLY option, below v11, is a SAN certificate. The wildcard *.domain.com doesn't work because testserv doesn't match that wildcard name.
  • Bill_Farrell's avatar
    Bill_Farrell
    Icon for Nimbostratus rankNimbostratus
    Jun 18, 2013

    I don't see the option for a san cert in the gui, can you direct me to how it is created?

     

     

    Thanks

     

    Bill

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jun 18, 2013
    A SAN cert is simply a server certificate with multiple Subject Alternative Name values:

     

     

     

    DNS Name = testserver.domain.com

     

    DNS Name = testserver

     

     

     

    How are you creating your certificates?
  • Bill_Farrell's avatar
    Bill_Farrell
    Icon for Nimbostratus rankNimbostratus
    Jun 18, 2013

    I use the GUI and under ssl certs use the create option. I am trying to use a self signed cert for this.

     

     

    Bill

     

  • Christopher_Boo's avatar
    Christopher_Boo
    Icon for Cirrostratus rankCirrostratus
    Jun 18, 2013
    It's just like creating a normal cert. I personally like to name them something that reminds me it is a SAN cert or it can get real confusing. Also, beware that some apps can't validate against a SAN. If your site is accessed via browser only, you are probably fine.

     

     

    Chris
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jun 18, 2013
    Well, you can create SAN certificates in the v11 GUI and TMSH, but since you're not on v11 yet, your best bet is probably OpenSSL or some other CA product.
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 19, 2013
    just in case you have not yet seen this.

     

     

    sol11438: Creating SSL SAN certificates and CSRs using OpenSSL

     

    http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11438.html