We run a large-ish SaaS application hosted on windows 2008R2 / IIS7.5 clusters behind an F5 network appliance cluster.
Today, we offer white labeled branding to customers via custom CNames (your-company.our-domain.com).
We would like to offer the ability for a customer to specify their own domain name for white labeling (www.your-domain.com) for a domain they already own.
By having the customer set up an A or CNAME record on their own DNS server, pointing to an IP we specify, our IIS machines receive the request - but since the entire SaaS app should run through SSL, we are a bit stumped as to how best to proceed.
Currently, we do not offload SSL handling to the F5 appliances, and instead have the IIS machines handle SSL. Our corporate certs are loading into the stores on each windows IIS servers, and configured there.
We are looking for a "best practice" approach to allow a customer to self configure their custom domain with SSL enabled.
Currently, our best idea would be to have the customer upload a PEM containing their key information via their administration panel in our SaaS, and then we would add the cert programmatically to each windows machine and IIS configuration as required. This to me seems like its a bit of a security issue, as doesn't this mean the customer is forced to share their private key with us? (I'm not very strong in asymmetric encryption, so I realize I might be wrong on this part).
Is this a best practice on sites that allow custom domains? Is there a better option? We're also aware our F5 infrastructure allows SSL offloading - if anyone out there is familiar with that solution and knows of something we could take advantage of there.
Thank you everyone for the help.
