Load Balancing Multiple Web Servers with Separate SSL Certificates


With SSL certificates, there is the concept of a public key and a private key.  When looking at traffic sent from the client to the web server, the public key is used to encrypt data and the private key is used to decrypt data.  The client gets the public key from the SSL certificate.  The private key is a highly protected value stored on the web server.  If someone was able to obtain the private key, they could pretend to be the web server and successfully decrypt traffic that was supposed to be sent to the web server.  For this reason, the private key needs to be carefully protected.

When load balancing web servers that use SSL, the natural thought is that the same private key must exist on each load balanced web server since the web server functionality should be identical.  This can create a security concern because, ideally, the private key should never leave the server that it was configured on.  There is a method for allowing each web server to have its own SSL certificate and associated public/private key pair.  This method uses the “subject alternative name” field of an SSL certificate.  This field allows multiple SSL certificates to handle the same fully qualified domain name(FQDN).  For example if the website https://www.netcraftsmen.net was load balanced by three web servers, each web server could have its own SSL certificate that was populated with a unique CN name and associated public/private key pair.  Each of the SSL certificates would have the same subject alternative name.  This field would be populated with the name “www.netcraftsmen.net”.  End users would access https://www.netcraftsmen.net and each web server would be able to handle the SSL requests as long as the subject alternative name had “www.netcraftsmen.net” populated in the field.

Leave a Reply