Ssl – How to best set up SSL for use with multiple Amazon EC2 Server instances behind a load balancer

If you have 5 web servers behind a load balancer (...) do you need SSL certificates for all the servers,

It depends.

If you do your load balancing on the TCP or IP layer (OSI layer 4/3, a.k.a L4, L3), then yes, all HTTP servers will need to have the SSL certificate installed.

If you load balance on the HTTPS layer (L7), then you'd commonly install the certificate on the load balancer alone, and use plain un-encrypted HTTP over the local network between the load balancer and the webservers (for best performance on the web servers).

If you have a large installation, then you may be doing Internet -> L3 load balancing -> layer of L7 SSL concentrators -> load balancers -> layer of L7 HTTP application servers...

Willy Tarreau, the author of HAProxy, has a really nice overview of the canonical ways of load balancing HTTP/HTTPS.

If you install a certificate on each server, then be sure to get a certificate that supports this. Normally certificates can be installed on multiple servers, as long as the servers all serve traffic for one Fully Qualified Domain Name only. But verify what you're buying, certificate issuers can have a confusing product portfolio...

The advantage of doing SSL termination on your load balancer is that you relieve your back-end nodes of having to perform SSL encryption/decryption.

As such, just deploy your SSL private key and signed cert to the ELB. That will take care of SSL termination, and can then proxy traffic unencrypted to your back-end instances. If you want traffic between the ELB and your back-end instances to be encrypted, that's fine, but you will still need the ELB to have your private key and signed cert.

In regards to getting your certificates and keys out of the java keystore, that's certainly possible. This Q&A over on Stackoverflow has the details.