Kemp LoadMaster: Publish Web Sites with Dual Certificates

Every customer has different requirements to publish a web site, but what happen when the request is use this different certificates for the same web site? One of my main suggest, when I talk with customers, is use always a reverse proxy to publish an application server; this rule is valid also in case there’s only one server.


Kemp LoadMaster is the solution of Application Delivery Control that allows to publish services to the world, balanced or not. In this article I will show how to publish a web site with two certificates; the requirement is not “classic” because there’s a public certificate for the external and a private certificate for internal traffic.


To avoid problems, both certificates shouldn’t be wildcard. In my case I used a wildcard for the public side, and it works, but this is a lab so I can take more risks.


Web Server
Into your web server, import the internal certificate with the machine name and check that is present on IIS, as showed in figure 1. Obviously you can do the same on Apache.


Figure 1 – Certificate in IIS


Add the certificate into HTTPS binding of your web site, as showed in figure 2.


Figure 2 – HTTPS Binding


Kemp LoadMaster
Import both certificates into Kemp and create the new Virtual Services with all classic parameters. To manage two different certificates is necessary enable the reencrypt between Kemp and Real Server, as showed in figure 3. In same cases could be necessary set the Reencryption SNI Hostname.


Figure 3 – Certificate in Kemp


Now it’s time to test the solution! This is another demonstration of Kemp’s flexibility.


Remember that you can try the virtual machine of Kemp LoadMaster for 30 days: