SSL certificate for two VPN gateways for the same Domain behind a Load balancer

Our company has two VPN gateways (Or think of it as a Web Server I Guess) behind a Load Balancer for resilience purpose which share the same domain (e.g. VPN client will logon to the VPN session thru either one of the VPN gateways.

We need to install  SSL certificates for both VPN gateway and purchase the certificates from a well know public CA (e.g. Symantec verisign, godaddy etc.). My questions are as follows:

1) As both VPN gateways share the same domain name, Shall we purchase two SSL certs for each of the VPN gateway from the Public CA.  OR just one and install the one cert to both VPN gateways ?

2) When we generate the CSR (Certificate Signing Request) from the Public CA, should we provide the same registration information such as:

Common Name :
ou: xxx

or unique registration for each VPN gateway  such as &

Note that the VPN client only login to the VPN using  domain ?

Thank you so much for your technical advice in advance.

Patrick Tam (System Administrator)
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
I'd use * or a ucc certificate subject name:,,
btanExec ConsultantCommented:
may want to consider single certificate and in Cisco VPN remote access soln, they termed it Unified Client Certificate (UCC). Hence in LB/Cluster use case, on UCC with multiple SANs (Subject Alternative Name extensions) with each ASA FQDN/IP included.

Another is wildcard whereby both approach can achieve but has their pro and cons. I deployed the SAN to better determine the required (hostname) servers. E.g. During enrollment, asks the CA to include the specified fully qualified domain name in the Subject Alternative Name extension of the certificate.

But do note that in the context of LB, there should be some sticky session to maintain the traffic established to same SSL VPN server. E.g.  after the SSL VPN session is opened for a client through any SSL VPN device, additional requests from that client are always ensured to forward to the same SSL VPN device.
Are you using a loadblancer or using the ASA in an active/active HA cluster setup? or combination of the two?

i.e. use the VIP on each ASA and attach the same certificate to them.

Since they are referenced by a single name, the IP is of no consequence.

each ASA will have four Ips. Management, peer-to-peer and one of two VIps unless the other device is down.
btanExec ConsultantCommented:
the hostname of the eventual one public facing VPN for your client machine to connect needs to be deployed in the LB fronting the two vpn gateways. it should be transparent to client machine with the LB handling that

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.