Forum Discussion
Kevin_Stewart
Aug 06, 2013Employee
There are at least THREE options:
1. Wildcard certificates - this is probably the most expensive solution for most but easiest to manage. A single certificate that encompasses all subdomains (example: *.example.com).
2. Subject Alternative Name (SAN) certificates - this is a little less expensive usually, but isn't as flexible if you need to add hosts later. A single certificate with multiple subject alternative name values. Some CA's limit the number of hosts you can add to a SAN certificate.
3. Server Name Indicator (SNI) - this is an extension to the TLS protocol and is supported in BIG-IP version 11 and up. The idea is that a TLS-capable client will initiate an SSL session and add a "servername" value in its CLIENTHELLO message, and LTM can "switch" client SSL profiles based on that value. You would import all of the customers' certificates, create a client SSL profile for each, specify the certificate's subject name in the Server Name field of each client SSL profile, and then add ALL of these client SSL profiles to the same single virtual server. You can optionally specify a single "default" profile if the client is not TLS-capable.
The rest of your HTTP-based iRule logic can remain the same.