If you only have one network interface and there are two different Domains. Then you will need a wildcard Certificate for the primary domain.
You could use two different network interfaces and bind two different Certificates one for the internal domain and one for the external domain name. This is slightly more complex, but could be accomplished through binding them on the System>Network> page. You would import both certificates and then bind one to eth0 and then the other to eth1.
It is recommended to have the server name for external lookups as keys.domain.com. Internally it doesn't matter what name you use as long as it matches the installation package that is build on the server.
If you are using a cluster of servers. Then I would recommend using a load balancer between all the traffic and have that IP setup as keys.domain.com for the external traffic.
You should also load balance internal traffic to make sure that the clients and mail flow are balanced and to help in case of problems on one server. This really depends on how many clients and how much mail you are attempting to send through the server.
The only way traffic gets to both servers in a clustering configuration is if you have load balancer. The Symantec Encryption Management server does not do redundancy by default. So it's not true clustering as you would think of it. It just copies data between servers so that both of them have the same data. If you want redundancy then you need to have a load balancer for this traffic.