Client SSL profiles using SNI not able to use the subject alternative name
We have a clientssl profile using a *.domain.com wildcard SSL certificate. This profile is set as the default for SNI. We also have specific clientssl profiles using the application specific SSL certificate. The application specific certs have their subject as www.application.com with the subject alternative name with application.com. There may also be several other SAN listed depending on the web app.
In testing everything works great when accessing the site via https://www.application.com. However when using https://application.com we receive a cert error and the *.domain.com wildcard SSL certificate is used. This is the same for any domain listed as a SAN.
My main question is can SNI use subject alternative names? My testing indicates no, but I wanted to put this out to the group.
Here is my sanitized config:
ltm profile client-ssl domain.com_wildcard {
app-service none
cert domain.com_wildcard.crt
chain ComodoCA.crt
defaults-from clientssl
key domain.com_wildcard.key
sni-default true
}
ltm profile client-ssl prod-www_application_com {
app-service none
cert prod-www_application_com.crt
chain prod-www_application_com.intermediate.ca.crt
key prod-www_application_com.key
}
ltm virtual vs-x.x.x.x_443 {
destination x.x.x.x:https
ip-protocol tcp
mask 255.255.255.255
pool site-x.x.x.x_443
profiles {
http-x-forward { }
domain.com_wildcard {
context clientside
}
prod-www_application_com {
context clientside
}
serverssl-insecure-compatible {
context serverside
}
tcp { }
websecurity { }
}
source 0.0.0.0/0
source-address-translation {
pool snat_pool
type snat
}
vs-index 2539
}