Forum Discussion
Russell_E_Glaue
Feb 19, 2009Nimbostratus
Posted By rglaue on 02/19/2009 9:51 AM
Do note, however, that each SSL Cert and matching domain must be assigned to, and responding on, two different IP numbers
So, sub.mydomain.com must be assigned to one IP number in DNS
And, www.sub.mydomain.com must be assigned to another IP in DNS
This will be two different Virtual Servers on the BigIP.
-RG
I should note that this is if you get two different SSL Certs, one for each of the two domains that will be accessed via "https://...".
If you get a wildcard ssl cert, or the SAN cert, all the matching domains can be assigned to one DNS IP and thus one Virtual Server.
So it is not really one domain per IP, as it is one SSL Cert per IP.
The reason is that the Web Browser is connecting to a IP number and performing the SSL handshake.
The Web Server (or BigIP in this case) does not know what domain the Web Browser is trying to access because the SSL Connection has not been established at that point.
So the SSL Certificate is assigned to an IP number, so the Web Server (BigIP) has the one SSL Cert to use for any connection. That one SSL Cert is sent to the Web Browser which matches the SSL Cert's common name with the domain name it will then send on in the HTTP 1.1 packet.
If the common name of the SSL Cert does not match the domain name ("Host" header) the Web Browser is going to send in the HTTP 1.1 packet, the Web Browser spits out a Mismatch error to the browser user.
-RG