I have a load balancer distributing traffic between two servers, the public facing urls are all https prefixed.
I want to generate a wildcard ssl certificate but I am not sure if is better to place it in the load balancer or in the two servers? whats the recommendation? what are the benefits and differences.
Thanks
Best Answer
A very common practice (I wouldn't say standard) is to place/configure the certificate in the load balancer, not in the backend servers. Why? This enables the load balancer to handle the TLS handshake/termination overhead (i.e. memory/CPU for TLS messages), rather than having the backend application servers use their CPUs for that encryption, in addition to providing the application behavior. Thus it's usually a "pro" of having the TLS termination be in front of your application servers.
This also allows for TLS session caching on the single route to your servers (i.e. through the load balancer), which means greater chances of using a cached TLS session. If, on the other hand, you configured the certificate on each of the backend servers, then those servers would (presumably) have their own separate TLS session caches; a client may (nor may not) be directed, by the load balancer, to the backend server with its TLS session cached.
So the short version is: configuring the certificate in the load balancer is the generally recommended approach.
Hope this helps!