Does each server behind a load balancer need their own SSL certificate?

If you have 5 web servers behind a load balancer (such as haproxy) and they are serving up content for the same domain, do you need SSL certificates for all the servers, or can you use the same certificate on each server?

I know you can put all SSL requests on a specific server, but that requires distributed session info and hoping it doesn't come to that.


If you have 5 web servers behind a load balancer (...) do you need SSL certificates for all the servers,

It depends.

If you do your load balancing on the TCP or IP layer (OSI layer 4/3, a.k.a L4, L3), then yes, all HTTP servers will need to have the SSL certificate installed.

If you load balance on the HTTPS layer (L7), then you'd commonly install the certificate on the load balancer alone, and use plain un-encrypted HTTP over the local network between the load balancer and the webservers (for best performance on the web servers).

If you have a large installation, then you may be doing Internet -> L3 load balancing -> layer of L7 SSL concentrators -> load balancers -> layer of L7 HTTP application servers...

Willy Tarreau, the author of HAProxy, has a really nice overview of the canonical ways of load balancing HTTP/HTTPS.

If you install a certificate on each server, then be sure to get a certificate that supports this. Normally certificates can be installed on multiple servers, as long as the servers all serve traffic for one Fully Qualified Domain Name only. But verify what you're buying, certificate issuers can have a confusing product portfolio...


You should be able to use the same certificate on each server. If your web site is www.gathright.com, you should be able to buy a cert for that FQDN. Then you install it on each of your 5 servers behind the balancer.

Alternatively, you can get a separate cert for each web server, but include 'www.gathright.com' as a "Subject Alternative Name", which means each of the 5 certs would be valid for SSL to that general FQDN as well as SSL to the specific server FQDNs.