Sounds kind of like a 007 reference, but really it was a Beastie Boys reference. At first I thought it might be too young for my target audience, but then I realized it actually goes in the other direction and substantially dates me. Crud.
Anyhoo, this topic came up recently, and it’s something I’d kind of forgotten about (not having purchased an SSL certificate in quite a while). The topic is SSL certificates and licenses.
With a load balancer terminating an SSL connection, the certificate resides on the load balancer, and not on the servers (Diagram 1).
Diagram 1: SSL Termination at the Load Balancer
There are a couple of reasons to do this, including being able to parse the HTTP headers (for cookie persistence), and if the load balancer has an SSL accelerator card, it can handle substantially more SSL connections than the servers could by themselves.
To do this, you only need one SSL certificate. However, most SSL certificate authorities such as Verisign and Thawte require you to purchase a license for each server that serves up content protected by the SSL certificate. In fact, I can’t think of a CA that doesn’t. (Know any? Drop a comment.) The first license is included with the certificate, but with two or more servers, you’ll probably need to purchase additional licenses.
Got 10 servers and one domain? You’ll need one certificate, and 9 additional licenses in order to remain in compliance with most certificate vendor’s licensing terms. And given the nature of SSL, compliance is imperative.
True, you only need to purchase one actual certificate and install it on the load balancer, and technically everything will work. But without purchasing additional licenses for all the servers , you won’t be in license compliance. The savings are not worth the potential ramifications, especially if you’re a Fortune 500 company.
In cases of re-encrypting traffic before it heads to the servers for wire-to-wire encrypting, servers do have certs, but they needn’t be the purchased SSL certs. You still need additional licenses in this case.
If you’re new to the load balancing world, it’s probably something you weren’t aware of, and it’s something that’s pretty easy to miss and end up in non-compliance with no intention of doing so. Even if you’ve been in the game for a while, it’s easy to forget about if you’re not often involved in the purchase of SSL certs. There certainly have been some debates about this (including on the lb-l) in terms of fairness, but the official and legal line (and my personal recommendation) is that compliance is mandatory.
