Global Accelerator (GA) supports HTTPS acceleration for multiple domain names by associating multiple SSL certificates with a single HTTPS listener. This topic describes how to set up multi-domain HTTPS acceleration using virtual endpoint groups and forwarding rules, and how to manage certificates throughout their lifecycle.
Certificate types
An HTTPS listener supports two types of SSL certificates:
Default server certificate — the certificate you configure when creating the HTTPS listener. It handles all requests that do not match an additional certificate's domain name. You cannot delete the default server certificate; you can only replace it.
Additional SSL certificate — certificates you add after the listener is created. Each additional certificate is associated with one or more domain names, enabling the listener to serve multiple domains. Each HTTPS listener supports up to 3 additional SSL certificates by default, and each additional certificate can cover up to 3 domain names.
Limitations
Standard GA instances support Rivest-Shamir-Adleman (RSA) and Elliptic Curve Cryptography (ECC) certificates.
If the default certificate of a standard subscription GA instance is an ECC certificate, all additional certificates must also be ECC certificates. Mixing ECC and RSA certificates may cause additional domain names to fail to resolve.
For details on supported encryption algorithms, see SSL certificate selection guide.
Prerequisites
Before you begin, ensure that you have:
A standard GA instance. See Create and manage standard GA instances
(Subscription billing only) A basic bandwidth plan purchased and attached to the GA instance
An acceleration region configured. See Add and manage acceleration areas
(Chinese mainland only) An ICP filing number for your website
Multiple SSL certificates issued. See Purchase an official certificate and Apply for a certificate
How it works
The setup involves five steps:
Create an HTTPS listener and set the default server certificate.
Create virtual endpoint groups, one per origin server.
Associate additional SSL certificates with the listener, one per domain name group.
Create domain name-based forwarding rules to route requests to the correct endpoint group.
Add CNAME records to map your domain names to the GA instance.
Step 1: Associate the default server certificate with an HTTPS listener
Create an HTTPS listener and configure its default server certificate. The endpoint group created in this step serves as the default endpoint group for the listener. For detailed HTTPS listener parameters, see the "Add an HTTP or HTTPS listener" section of Add and manage intelligent routing listeners.
Log on to the GA consoleGA console.
On the Instances page, find the GA instance and click Configure Listener in the Actions column.
On the Listeners tab, click Add Listener.
Skip this step if the GA instance already has an HTTPS listener configured.
In the Configure Listener & Protocol step, configure the following parameters and click Next:
Server Certificate: select the SSL certificate to use as the default server certificate.
TLS Security Policies: select a TLS security policy. See TLS security policies.
In the Configure Endpoint Group step, configure the endpoint group and its endpoints, then click Next. This endpoint group becomes the default endpoint group for the listener.
In the Configuration Review step, verify the settings and click Submit.
Step 2: Create virtual endpoint groups
Create a virtual endpoint group for each origin server. For steps, see the "Create a virtual endpoint group" section of Create and manage the endpoint groups of intelligent routing listeners.
Step 3: Associate additional SSL certificates with the HTTPS listener
Log on to the GA consoleGA console.
On the Instances page, find the GA instance and click Configure Listener in the Actions column.
On the Listeners tab, click the ID of the HTTPS listener.
On the listener details page, click the Certificates tab.
In the Additional Certificate section, click Associate Certificate.
In the Associate Certificate dialog box, configure the following and click OK: To associate multiple additional certificates at once, click + Add Certificate. Each HTTPS listener supports up to 3 additional SSL certificates by default. To increase this limit, go to Quota Center and submit a request to increase the
gaplus_quota_additional_certs_per_listenerquota. See Manage GA quotas.Certificate: select the certificate to associate.
Associated Domain Name: select one or more domain names to accelerate with this certificate. Each additional certificate can cover up to 3 domain names.
Step 4: Create forwarding rules
Create a domain name-based forwarding rule for each virtual endpoint group to route requests to the correct origin server. See Create and manage forwarding rules.
Step 5: Add CNAME records
Add a CNAME record for each domain name you want to accelerate. Map the domain name to the CNAME address of the GA instance so that client requests are forwarded to GA. See Add a CNAME record for a domain name.
Manage certificates
| Operation | Description |
|---|---|
| Replace the default server certificate | 1. On the Listeners tab, click the listener ID. <br>2. Click the Certificates tab. <br>3. In the Default Server Certificate section, find the certificate and click Replace in the Actions column. <br>4. In the Change Default Server Certificate dialog box, select the new certificate and click OK. |
| Replace an additional SSL certificate | Use this when a certificate expires but the associated domain names remain unchanged. <br><br>1. On the Listeners tab, click the listener ID. <br>2. Click the Certificates tab. <br>3. In the Additional Certificate section, find the certificate and click Replace in the Actions column. <br>4. In the Change Default Server Certificate dialog box, select the new certificate and click OK. |
| Disassociate an additional SSL certificate | You can only disassociate additional SSL certificates from an HTTPS listener in the GA console. Disassociating a certificate removes it from the listener but does not delete the certificate. To delete a certificate, see Revoke and delete an SSL certificate. <br><br>1. On the Listeners tab, click the listener ID. <br>2. Click the Certificates tab. <br>3. In the Additional Certificate section, disassociate certificates: <br> - Single: find the certificate and click Disassociate in the Actions column. <br> - Multiple: select the certificates and click Batch Disassociate. <br>4. In the confirmation dialog box, click OK. |
References
Use a single GA instance to accelerate multiple domain names over HTTPS: end-to-end walkthrough for multi-domain HTTPS acceleration with multiple certificates.
AssociateAdditionalCertificatesWithListener: API reference for associating additional SSL certificates with an HTTPS listener.
UpdateAdditionalCertificateWithListener: API reference for replacing an additional SSL certificate.
DissociateAdditionalCertificatesFromListener: API reference for disassociating additional SSL certificates.
ListListenerCertificates: API reference for querying SSL certificates associated with an HTTPS listener.