SSL certificate for two VPN gateways for the same Domain behind a Load balancer

Posted on 2014-08-23
Last Modified: 2014-10-06
Our company has two VPN gateways (Or think of it as a Web Server I Guess) behind a Load Balancer for resilience purpose which share the same domain (e.g. VPN client will logon to the VPN session thru either one of the VPN gateways.

We need to install  SSL certificates for both VPN gateway and purchase the certificates from a well know public CA (e.g. Symantec verisign, godaddy etc.). My questions are as follows:

1) As both VPN gateways share the same domain name, Shall we purchase two SSL certs for each of the VPN gateway from the Public CA.  OR just one and install the one cert to both VPN gateways ?

2) When we generate the CSR (Certificate Signing Request) from the Public CA, should we provide the same registration information such as:

Common Name :
ou: xxx

or unique registration for each VPN gateway  such as &

Note that the VPN client only login to the VPN using  domain ?

Thank you so much for your technical advice in advance.

Patrick Tam (System Administrator)
Question by:patricktam
    LVL 77

    Expert Comment

    by:David Johnson, CD, MVP
    I'd use * or a ucc certificate subject name:,,
    LVL 60

    Expert Comment

    may want to consider single certificate and in Cisco VPN remote access soln, they termed it Unified Client Certificate (UCC). Hence in LB/Cluster use case, on UCC with multiple SANs (Subject Alternative Name extensions) with each ASA FQDN/IP included.

    Another is wildcard whereby both approach can achieve but has their pro and cons. I deployed the SAN to better determine the required (hostname) servers. E.g. During enrollment, asks the CA to include the specified fully qualified domain name in the Subject Alternative Name extension of the certificate.

    But do note that in the context of LB, there should be some sticky session to maintain the traffic established to same SSL VPN server. E.g.  after the SSL VPN session is opened for a client through any SSL VPN device, additional requests from that client are always ensured to forward to the same SSL VPN device.
    LVL 76

    Expert Comment

    Are you using a loadblancer or using the ASA in an active/active HA cluster setup? or combination of the two?

    i.e. use the VIP on each ASA and attach the same certificate to them.

    Since they are referenced by a single name, the IP is of no consequence.

    each ASA will have four Ips. Management, peer-to-peer and one of two VIps unless the other device is down.
    LVL 60

    Accepted Solution

    the hostname of the eventual one public facing VPN for your client machine to connect needs to be deployed in the LB fronting the two vpn gateways. it should be transparent to client machine with the LB handling that

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    How to sign a powershell script so you can prevent tampering, and only allow users to run authorised Powershell scripts
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now