Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Determine which cert if used on a VS for a requesting client

 

Information

 

Summary:

When multiple certs are assigned to an SSL offloaded/re-encrypted virtual service, how does the LM determine which certificate to present to the requesting client?

Environment:

Product: LoadMaster

Version: All firmware revisions

Platform: All platforms

Application: SSL VS using multiple certificates

Question/Problem Description:

How does the Load Master determine the correct cert to present to a client connection when multiple certificates are assigned to a virtual service?

Steps to Reproduce:  
Error Message: N/A
Defect Number:  
Enhancement Number:  
Cause:  
Resolution:

The Load Master will read the requested FQDN (Fully Qualified Domain Name) and try to match it to the SAN names of the assigned certificates.

e.g. Client request www.domain1.com -> The VS will assign the cert with the SAN name for www.domain1.com

 

If the service has wild card certificates assigned then this will not work as a wild card matches any requested domain and so will present the first cert in the list.

 

Workaround:

When using multiple certificates in a virtual service ensure that none of them are wild card certificates such as *.domain.com and the they instead have SAN names for any possible valid request such as www.domain.com, mail.domain.com, etc.

Notes:  

Comments