Exam CS0-002 topic 1 question 233 discussion

I've worked with certs and load balancers for years and the ideal solution is to place the cert on the load balancer to do SSL offload, then pass unencrypted traffic to the webservers on the back end. However that's not an option here. Of the bunch of answers the best solution is D. One cert deployed on multiple webservers so that the load balancer passes the traffic straight through with no SSL offload on the LB There's absolutely no need to create one cert for each webserver, that would be really expensive an a nightmare from a cert management perspective doing that for every single load balanced FQDN. Imagine having to manage multiple certs for one FQDN all expiring at different times. The only time you would create multiple certs with the same FQDN is if they were going to be used by a different webserver groups in different geographical locations. That way if the cert was compromised in one location it's easy to revoke and replace. I'm 100% going for D on this one!

D. When you have multiple web servers behind a load balancer, the common approach is to use a single SSL/TLS certificate that is shared among all servers. This ensures that the certificate presented to the clients is consistent regardless of which server handles the request. This setup avoids certificate name mismatch errors because all servers will present the same certificate, which matches the fully qualified domain name (FQDN) of the website.

D. Create one certificate and export it to each web server behind the load balancer. This is generally the best approach when you have multiple identical web servers behind a load balancer. By using the same certificate, you ensure that no matter which server handles a given request, the certificate will match the domain name the client is expecting.

if over 100+ servers, need 100+ certs?

If I have a wildcard certificate I would go for D, but in this case that isn't specified... So the best answer possible on this scenario is C...

To ensure certificate name mismatch errors do not occur, the engineer should create one certificate on the load balancer and associate the site with the web servers' real IP addresses (B). When a client requests a website that is load-balanced across multiple servers, the load balancer is responsible for directing the request to one of the servers. Each server must present the same certificate to the client to prevent certificate name mismatch errors. In this scenario, using a single certificate that is associated with the real IP addresses of the web servers on the load balancer will ensure that the same certificate is presented to the client no matter which server handles the request.

The best option to ensure certificate name mismatch errors do not occur is to create two certificates, each with the same fully qualified domain name, and associate each with a corresponding web server behind the load balancer (option C). This way, each web server will have its own certificate with the correct name, and there will not be any issues with the load balancer trying to use the same certificate for both web servers.

Correct me if I'm wrong, but I think it's A - Create two certificates, each with the same FQDN, and associate each with a corresponding web server behind the load balancer. This will ensure that each server presents a valid certificate with the correct FQDN, and that the client is able to establish a secure connection without any errors. A, B, and D will not work, because they do not provide a valid certificate with the correct FQDN for each web server behind the load balancer.

One certificate deployed to each web server > D.

Found this You should be able to use the same certificate on each server. If your web site is www.gathright.com, you should be able to buy a cert for that FQDN. Then you install it on each of your 5 servers behind the balancer. Source: https://serverfault.com/questions/68753/does-each-server-behind-a-load-balancer-need-their-own-ssl-certificate C may be correct.