I have 2 SA 6500s in an active/active cluster and have an issue with certificates. The problem I am having is we do not utilize a load balancer so we have employees connect to a node based on their physical location so I have different URLs for each node. In the configuration it only allows me to install 1 certificate for the internal and 1 for the external. Can this somehow be done on a per node basis so I can have valid certs for each URL?
Do you require that each location connect to a specific box? Or is this just how you are balancing the load?
You could use DNS round robin as an essentially free load balancer.
You use the same url on both boxes but simply create two DNS a-records with the two different public ip addresses.
Your DNS servers will then alternate which record is handed out on each request roughly balancing your connections.
DNS then becomes your load balancer for the connections.
I have it intentionally setup this way. I was digging through the knowledge base and it would appear I am going to need to use a wildcard cert to accomplish this.
Why not use the same host name but just change the paths..
limit the number of hostnames, less confusion, more better.
Just my 2 cents..
Take a look at this help page (from GoDaddy used as and example only, not as a positive/negative reccomendation)
I'm sure you can get 2-name certificates from any authority and I don't know if both names have to resolve to the same ip address at the time of issuance.
If you need to load multiple device certs then you can create virtual ports (external and internal ) and assign unique certs for each port. Your load balancer can then foward request to any ports based on the location the user comes from.
Thanks for all the replies. I have been testing a couple options and it appears wildcard certs and certs with multiple CNs work fine with the juniper client.