If you have 5 web servers behind a load balancer (...)
do you need SSL certificates for all the servers,
It depends.
If you do your load balancing on the TCP or IP layer (OSI layer 4/3, a.k.a L4, L3), then yes, all HTTP servers will need to have the SSL certificate installed.
If you load balance on the HTTPS layer (L7), then you'd commonly install the certificate on the load balancer alone, and use plain un-encrypted HTTP over the local network between the load balancer and the webservers (for best performance on the web servers).
If you have a large installation, then you may be doing Internet -> L3 load balancing -> layer of L7 SSL concentrators -> load balancers -> layer of L7 HTTP application servers...
Willy Tarreau, the author of HAProxy, has a really nice overview of the canonical ways of load balancing HTTP/HTTPS.
If you install a certificate on each server, then be sure to get a certificate that supports this. Normally certificates can be installed on multiple servers, as long as the servers all serve traffic for one Fully Qualified Domain Name only. But verify what you're buying, certificate issuers can have a confusing product portfolio...
No, they do not need to be on unique IP addresses.
Navigate to C:\Windows\System32\Inetsrv\ In the Inetsrv folder, run the following command for each of the other websites on the IP address that need to use the certificate:
appcmd set site /site.name:"{IISSiteName}" /+bindings.[protocol='https',bindingInformation='*:443:{hostHeaderValue}']
Replace {IISSiteName} with the name of the IIS site and {hostHeaderValue} with the host header for that site e.g. site.mydomain.com
Best Answer
I'll answer this in two steps...
Do You Need an SSL Cert for Each Subdomain ?
Yes and No, it depends. Your standard SSL certificate will be for single domain, say
www.domain.example
. There are different types of certs you can aside from the standard single domain cert: wildcard and multi domain certs.A wild card cert will be issued for something like
*.domain.example
and clients will treat this as valid for any domain that ends withdomain.example
, such aswww.domain.example
orws.domain.example
.A multi domain cert is valid for a predefined list of domain names. It does this by using the Subject Alternative Name field of the cert. For example, you could tell an CA that you want a multi domain cert for
domain.example
andws.mysite.example
. This would allow it to be used for both domain names.If neither of these options work for you, then you would need to have two different SSL certs.
Do I Need a Dedicated IP for Each Subdomain ?
Again, this is a yes and no...it all depends on your web/application server. I am a Windows guy, so I will answer with IIS examples.
If you are running IIS7 or older, then you are forced to bind SSL certs to an IP and you can not have multiple certs assigned to a single IP. This causes you to need to have a different IP for each subdomain if you are using a dedicated SSL cert for each subdomain. If you are using a multi domain cert or a wildcard cert, then you can get away with the single IP as you only have one SSL cert to begin with.
If you are running IIS8 or later, then the same applies. However, IIS8+ includes support for something called Server Name Indication (SNI). SNI allows you to bind an SSL cert to a hostname, not to an IP. So the hostname (Server Name) that is used to make the request is used to indicate which SSL cert that IIS should use to for the request.
If you use a single IP, then you can configure websites to respond to requests for specific hostnames.
I know that Apache and Tomcat also have support for SNI, but I am not familiar them enough to know what versions support it.
Bottom Line
Depending on your application/web server and what type of SSL certs you are able to obtain will dictate your options.