Determine which cert if used on a VS for a requesting client
Information
| Summary: |
When multiple certs are assigned to an SSL offloaded/re-encrypted virtual service, how does the LM determine which certificate to present to the requesting client? |
| Environment: |
Product: LoadMaster Version: All firmware revisions Platform: All platforms Application: SSL VS using multiple certificates |
| Question/Problem Description: |
How does the Load Master determine the correct cert to present to a client connection when multiple certificates are assigned to a virtual service? |
| Steps to Reproduce: | |
| Error Message: | N/A |
| Defect Number: | |
| Enhancement Number: | |
| Cause: | |
| Resolution: |
The Load Master will read the requested FQDN (Fully Qualified Domain Name) and try to match it to the SAN names of the assigned certificates. e.g. Client request www.domain1.com -> The VS will assign the cert with the SAN name for www.domain1.com
If the service has wild card certificates assigned then this will not work as a wild card matches any requested domain and so will present the first cert in the list.
|
| Workaround: |
When using multiple certificates in a virtual service ensure that none of them are wild card certificates such as *.domain.com and the they instead have SAN names for any possible valid request such as www.domain.com, mail.domain.com, etc. |
| Notes: |