Each web tier has a certificate based on the virtual hostname. Some features, such as risk-based authentication, use the virtual hostname to allow use of a load balancer. Other features, such as the Self-Service Console, use the virtual hostname so that the Console can connect to the web-tier server that is associated with the primary instance.
Replacing your default RSA virtual host certificate is optional. You might need to replace this certificate for the following reasons:
Your network policy requires you to use certificates issued by a trusted root certificate authority (CA).
Your current certificate issued by a trusted root CA is expired.
You want to replace the default RSA certificate because your browser warns you that the default certificate is not trusted.