You do not need to add each server certificate individually. You need only add unique certificates to a certificate pool on the server-side SteelHead. When a client initiates an SSL connection with a server, the SteelHead matches the common name of the server’s certificate with one in its certificate pool. If it finds a match, it adds the server name to the list of discovered servers that are optimizable and all subsequent connections to that server are optimized.

If it does not find a match, it adds the server IP and port and client IP address (or wildcard) to the list of bypassed servers and all subsequent connections to that client-server pair are not optimized. The Discovered and Bypassed Server lists appear in the SSL Main Settings page.

The SteelHead supports RSA private keys for peers and SSL servers.

When you configure the back-end server proxy certificate and key on the server-side SteelHead, if you choose not to use the actual certificate for the back-end server and key, you can use a self-signed certificate and key or another CA-signed certificate and key. If you have a CA-signed certificate and key, import it.

If you do not have a CA-signed certificate and key, you can add the proxy server configuration with a self-signed certificate and key, back up the private key, generate a CSR, have it signed by a CA, and import the newly CA-signed certificate and the backed up private key.

You can also simply use the generated self-signed certificate and key, but it might be undesirable because the clients by default do not trust it, requiring action from the end users.

On the server-side SteelHead, under SSL Server Certificates, these configuration options are available:

Displays the controls to add a new server certificate.

Specifies a name for the proxy certificate (required when generating a certificate, leave blank when importing a certificate).

Imports the certificate and key. The page displays controls for browsing to and uploading the certificate and key files. Or, you can use the text box to copy and paste a PEM file. The private key is required regardless of whether you are adding or updating the certificate.

Browses to the local file in PKCS-12, PEM, or DER formats.

Copies and then pastes the contents of a PEM file.

Specifies the private key origin:

Browses to the local file in PEM or DER formats.

Pastes the contents of a PEM file.

Specifies the decryption password, if necessary. Passwords are required for PKCS-12 files, optional for PEM files, and never needed for DER files.

(Appears only when global exporting of SSL server certificates is enabled.) Allows the certificate and server key to be exported. This is the default setting. Disable this setting to make sure the private key doesn’t leave the SteelHead.

Generates a new private key and self-signed public certificate. The page displays controls to identify and generate the new certificate and key:

Common Name specifies the common name of a certificate. To facilitate configuration, you can use wildcards in the name: for example, *.nbttech.com. If you have three origin servers using different certificates such as webmail.nbttech.com, internal.nbttech.com, and marketingweb.nbttech.com, on the server-side SteelHeads, all three server configurations can use the same certificate name *.nbttech.com.

Organization Name specifies the organization name (for example, the company).

Organization Unit Name specifies the organization unit name (for example, the section or department).

Locality specifies the city.

State (no abbreviations) specifies the state.

Country (2-letter code) specifies the country (two-letter code only).

Email Address specifies the email address of the contact person.

Validity Period (Days) specifies how many days the certificate is valid.

Specifies the key length from the drop-down list. The default is 2048.

Pastes the contents of a PEM file.