Associate multiple certificates with an HTTPS listener - Global Accelerator

Global Accelerator (GA) can help accelerate multiple domain names over HTTPS. To implement this feature, you only need to associate multiple certificates with an HTTPS listener of a GA instance. This topic describes how to associate multiple certificates with an HTTPS listener and use virtual endpoint groups and forwarding rules to accelerate multiple domain names over HTTPS.

Prerequisites

A standard Global Accelerator instance is created. For more information, see Create and manage standard GA instances.
A basic bandwidth plan is purchased and associated with the GA instance whose bandwidth metering method is pay-by-bandwidth.
An acceleration area is added. For information about how to add acceleration areas, see Create and manage standard GA instances.
An Internet Content Provider (ICP) number is obtained for your website if the website is deployed in the Chinese mainland. For more information, see What is an ICP filing?
Multiple SSL certificates are issued to you. For more information, see Purchase an SSL certificate and Submit a certificate application.

Manage SSL certificates that are associated with an HTTPS listener

When you create an HTTPS listener for a GA instance, you must configure an SSL certificate for identity authentication and encrypted data transmission. You can associate multiple SSL certificates with an HTTPS listener of a GA instance. The following types of SSL certificates are supported:

Default server certificate
The SSL certificate that you configure when you create an HTTPS listener is used as the default server certificate. You cannot delete the default server certificate. You can only replace the default server certificate.
Additional server certificate
You can associate additional SSL certificates with an existing HTTPS listener. You can associate multiple domain names with an HTTPS listener by configuring additional certificates for the HTTPS listener. Then, you can create domain name-based forwarding rules to distribute client requests that are destined for different domain names to different endpoint groups.
You can associate each HTTPS listener with up to three additional SSL certificates. If you want to associate more than three additional SSL certificates with an HTTPS listener, go to the Quota Center and submit a ticket to increase the gaplus_quota_additional_certs_per_listener quota. After the quota is increased, you can associate up to 10 additional SSL certificates with an HTTPS listener.

Procedure

Step 1: Associate the default server certificate with an HTTPS listener

Create an HTTPS listener and associate an SSL certificate. This SSL certificate will be used as the default server certificate. The endpoint group that you create is used as the default endpoint group. For more information about HTTPS listeners, see the "Add an HTTP or HTTPS listener" section of the Add and manage intelligent routing listeners topic.

Log on to the GA console .
On the Instances page, find the GA instance that you want to manage and click Configure Listeners in the Actions column.
On the Listeners tab, click Add Listener.
Note
The first time you add an HTTPS listener or if the GA instance that you want to manage is not configured with an HTTPS listener, skip this step.
On the Configure Listener & Protocol wizard page, configure the parameters and click Next.
Parameter configuration:
- Server Certificate: Select the SSL certificate that you want to associate. The SSL certificate that you select is used as the default server certificate of the HTTPS listener.
- TLS Security Policies: Select the TLS security policy that you want to use. For more information about TLS security policies, see TLS security policies.
On the Configure Endpoint Group wizard page, configure the endpoint group and endpoints and click Next.
The endpoint group that you configure is used as the default endpoint group of the HTTPS listener.
On the Confirm wizard page, confirm the configurations and click Submit.

Step 2: Create virtual endpoint groups

Create virtual endpoint groups. Each virtual endpoint group contains one of the origin servers. For more information, see the "Create a virtual endpoint group" section of the Create and manage the endpoint groups of intelligent routing listeners topic.

Step 3: Associate additional SSL certificates with the HTTPS listener

Log on to the GA console .
On the Instances page, find the GA instance that you want to manage and click Configure Listeners in the Actions column.
On the Listeners tab, find the HTTPS listener with which you want to associate additional SSL certificates and click the listener ID.
On the listener details page, click the Certificates tab.
On the Certificates tab, click Associate Certificate in the Additional Certificate section.
In the Associate Certificate dialog box, configure the additional SSL certificate and click OK.
- Certificate: Select the SSL certificate that you want to associate.
- Associated Domain Name: Select one or more domain names that you want to accelerate by using GA. The SSL certificate is associated with the domain names that you select. You can select multiple domain names. Each additional certificate can be associated with at most three domain names.
You can click + Add Certificate to add multiple additional SSL certificates at a time. You can associate each HTTPS listener with up to three additional SSL certificates. If you want to associate more than three additional SSL certificates with an HTTPS listener, go to the Quota Center and submit a ticket to increase the gaplus_quota_additional_certs_per_listener quota. For more information, see Manage GA quotas.

Step 4: Create forwarding rules

Create a domain name-based forwarding rule for each virtual endpoint group. For more information, see Create and manage forwarding rules.

Step 5: Add a CNAME record

Add CNAME records for the domain names that you want to accelerate. To forward requests from clients to GA, you must modify the domain name system (DNS) record to map the domain names that you want to accelerate to the CNAME of the GA instance. For more information, see Add a CNAME record for a domain name.

More operations

Operation	Description
Replace the default server certificate	On the Listeners tab, find the HTTPS listener that you want to manage and click the listener ID. On the listener details page, click the Certificates tab. In the Default Server Certificate section of the Certificates tab, find the SSL certificate that you want to replace and click Replace in the Actions column. In the Change Default Server Certificate dialog box, select the SSL certificate that you want to use and click OK.
Replace an additional server certificate	The operation is applicable to scenarios in which an additional certificate expires and the associated domain name does not need to change. On the Listeners tab, find the HTTPS listener that you want to manage and click the listener ID. On the listener details page, click the Certificates tab. In the Additional Certificate section of the Certificates tab, find the SSL certificate that you want to replace and click Replace in the Actions column. In the Change Default Server Certificate dialog box, select the certificate that you want to use and click OK.
Disassociate an additional SSL certificate	You can only disassociate additional SSL certificates from an HTTPS listener in the GA console. If you want to delete a certificate, see Revoke and delete a certificate. On the Listeners tab, find the HTTPS listener that you want to manage and click the listener ID. On the listener details page, click the Certificates tab. In the Additional Certificate section of the Certificates tab, disassociate one or more additional SSL certificates. Disassociate one additional SSL certificate: Find the certificate that you want to disassociate and click Disassociate in the Actions column. Disassociate multiple additional SSL certificates: Select the additional SSL certificates that you want to disassociate and click Batch Disassociate. In the message that appears, click OK.

References

Use a single GA instance to accelerate multiple domain names over HTTPS: accelerates multiple domain names over HTTPS by configuring multiple certificates.
AssociateAdditionalCertificatesWithListener: associates additional SSL certificates with an HTTPS listener.
UpdateAdditionalCertificateWithListener: replaces an additional SSL certificate for an HTTPS listener.
DissociateAdditionalCertificatesFromListener: disassociates additional SSL certificates from an HTTPS listener.
ListListenerCertificates: queries the SSL certificates that are associated with an HTTPS listener.