Redirect to correct SSL Cert Site

Out side of getting the .com SSL cert you are going to get the error. As SSL negotiation happens before the HTTP request you can not send a HTTP redirect with out first getting the cert error. Now if the customer is using TLS there is a Host name if the negotiation allowing the client to tell the server what cert they are excepting, you can then tell the f5 to return the correct cert to the customer.

The problem, unfortunately, happens before layer 7 (HTTP). The x509 subject of the certificate that the server is presenting to the client (www.xyz.org) does not match what the client is asking for (www.xyz.com), so the browser complains. There are a few options:

1. Subject Alt Name (SAN) certificate - where you take a single certificate and add multiple subjectAltNames to it (one for each server name). You can purchase these from any CA vendor.

    

2. Server Name Indicator (SNI) - this is a TLS extension that allows you to add multiple client SSL profiles to the (v11) VIP. You'll need two cert/key pairs (www.xyz.com and www.xyz.org), one for each client SSL profile. The extension allows the BIG-IP to switch the client SSL profiles during the SSL negotiation based on the server name value that the client sends in the CLIENTHELLO message. This requires TLS, so older clients (WinXP and below) can't use this.

    

3. Host two VIPs, each with their own client SSL profiles and server certificates. Add a simple redirect iRule to the .com VIP so that all traffic is re-routed to the .org VIP.

    

You won't be able to get away from requiring a new SAN certificate or two individual certificates.

This is a common request. As the SSL session is established before any HTTP is passed, you simply can't do this without having a valid certificate for the .com domain.