Global Accelerator (GA) can accelerate multiple domain names over HTTPS. To implement this feature, you only need to associate multiple certificates with an HTTPS listener of a GA instance. This topic describes how to associate multiple certificates with an HTTPS listener and use virtual endpoint groups and forwarding rules to accelerate multiple domain names over HTTPS.
Manage SSL certificates that are associated with an HTTPS listener
When you create an HTTPS listener for a GA instance, you must configure an SSL certificate for identity authentication and encrypted data transmission. You can associate multiple SSL certificates with an HTTPS listener of a GA instance. The following types of SSL certificates are supported:
Default server certificate
The SSL certificate that you configure when you create an HTTPS listener is used as the default server certificate. You cannot delete the default server certificate. You can only replace the default server certificate.
Additional SSL certificate
You can associate additional SSL certificates with an existing HTTPS listener. You can associate multiple domain names with an HTTPS listener by configuring additional certificates for the HTTPS listener. Then, you can create domain name-based forwarding rules to distribute client requests that are destined for different domain names to different virtual endpoint groups.
You can associate each HTTPS listener with up to three additional SSL certificates. If you want to associate more than three additional SSL certificates with an HTTPS listener, go to the Quota Center console and submit a ticket to increase the gaplus_quota_additional_certs_per_listener quota.
Limits
Standard GA instances support Rivest-Shamir-Adleman (RSA) and Elliptic Curve Cryptography (ECC) certificates.
If the default certificate associated with the HTTPS listener of a standard subscription GA is an ECC certificate, the additional certificates must also be ECC certificates. Otherwise, the additional domain names may fail to be resolved.
For more information about the encryption algorithms supported by SSL certificates, see Select an SSL certificate.
Prerequisites
A standard Global Accelerator instance is created. For more information, see Create and manage standard GA instances.
A basic bandwidth plan is purchased and associated with the GA instance whose bandwidth billing method is subscription.
An acceleration region is added. For more information, see Add and manage acceleration areas.
An Internet Content Provider (ICP) number is obtained for your website if the website is deployed in the Chinese mainland. For more information, see What is an ICP filing?
Multiple SSL certificates are issued to you. For more information, see Purchase SSL certificates and Apply for a certificate.
Procedure
Step 1: Associate the default server certificate with an HTTPS listener
Create an HTTPS listener and associate an SSL certificate. The SSL certificate that you configure when you create the HTTPS listener is used as the default server certificate. The endpoint group that you create is used as the default endpoint group. For more information about HTTPS listeners, see the "Add an HTTP or HTTPS listener" section of the Add and manage intelligent routing listeners topic.
Log on to the GA console .
On the Instances page, find the GA instance that you want to manage and click Configure Listener in the Actions column.
On the Listeners tab, click Add Listener.
NoteIf you are adding an HTTPS listener for the first time or an HTTPS listener is not configured for the GA instance that you want to manage, skip this step.
In the Configure Listener & Protocol step, configure the parameters and click Next.
The following section describes the parameters:
Server Certificate: Select the SSL certificate that you want to associate. The SSL certificate that you select is used as the default server certificate of the HTTPS listener.
TLS Security Policies: Select the TLS security policy that you want to use. For more information about TLS security policies, see TLS security policies.
In the Configure Endpoint Group step, configure the endpoint group and the endpoints and click Next.
The endpoint group that you configure is used as the default endpoint group of the HTTPS listener.
In the Configuration Review step, confirm the configurations and click Submit.
Step 2: Create virtual endpoint groups
Create virtual endpoint groups. Each virtual endpoint group contains one of the origin servers. For more information, see the "Create a virtual endpoint group" section of the Create and manage the endpoint groups of intelligent routing listeners topic.
Step 3: Associate additional SSL certificates with the HTTPS listener
Log on to the GA console .
On the Instances page, find the GA instance that you want to manage and click Configure Listener in the Actions column.
On the Listeners tab, find the HTTPS listener with which you want to associate additional SSL certificates and click the listener ID.
On the listener details page, click the Certificates tab.
On the Certificates tab, click Associate Certificate in the Additional Certificate section.
In the Associate Certificate dialog box, configure the additional SSL certificate and click OK.
Certificate: Select the certificate that you want to associate.
Associated Domain Name: Select one or more domain names that you want to accelerate by using GA. The SSL certificate is associated with the domain names that you select. You can select multiple domain names. Each additional certificate can be associated with at most three domain names.
You can click + Add Certificate to add multiple additional certificates at a time. You can associate each HTTPS listener with up to three additional SSL certificates. If you want to associate more than three additional SSL certificates with an HTTPS listener, go to the Quota Center and submit a ticket to increase the gaplus_quota_additional_certs_per_listener quota. For more information, see Manage GA quotas.
Step 4: Create forwarding rules
Create a domain name-based forwarding rule for each virtual endpoint group. For more information, see Create and manage forwarding rules.
Step 5: Add CNAME records
Add CNAME records for the domain names that you want to accelerate. To forward requests from clients to GA, you must modify the domain name system (DNS) record to map the domain names that you want to accelerate to the CNAME of the GA instance. For more information, see Add a CNAME record for a domain name.
More operations
Operation | Description |
Replace the default server certificate |
|
Replace an additional server certificate | The operation is applicable to scenarios in which an additional certificate expires and the associated domain name does not need to change.
|
Disassociate an additional SSL certificate | You can only disassociate additional SSL certificates from an HTTPS listener in the GA console. If you want to delete a certificate, see Revoke and delete a certificate.
|
References
Use a single GA instance to accelerate multiple domain names over HTTPS: accelerates multiple domain names over HTTPS by configuring multiple certificates.
AssociateAdditionalCertificatesWithListener: associates additional SSL certificates with an HTTPS listener.
UpdateAdditionalCertificateWithListener: replaces an additional SSL certificate associated with an HTTPS listener.
DissociateAdditionalCertificatesFromListener: disassociates additional SSL certificates from an HTTPS listener.
ListListenerCertificates: queries the SSL certificates that are associated with an HTTPS listener.