Hello folks!

Since this SSL thing is a bit of mystery to me, some advice / comment would be kindly appreciated.

View 6.2

2 Security Servers (Windows computer names: SS1 and SS2) set up in DMZ, will be placed behind a Load Balancer mainly for availability (no SSL offloading intended on Load Balancer at this time). The externally resolvable load balanced URL is going to be "view.mycompany.com"

Now there is a task to request a SSL certificate from a public 3rd party CA for client connections coming from Internet to load balanced URL.

If I got it right then the CSR should be generated on one of the security servers, let's say SS1, making sure that the private key can be exported and the CN in Subject line is set to "view.mycompany.com" (the externally resolvable url that clients will connect to).

Once certificate is generated by CA, it should be installed on SS1, then private key exported and together with the same certificate installed on SS2, right?

At this point the external connections should be happy as the certificate presented to the client by either security server corresponds to load balanced url that they connect to.

What I'm concerned and not sure about is how will my Connection Server react to this? Would it be so that whenever SS1 establishes a session with CS, the SS1 will use the same certificate (issued to view.mycompany.com) however since CS recognizes the other party as "SS1", not "view.mycompany.com", would CS still complain about an invalid certificate on security server? If so, should I set the Subject Alt Names in CSR to include values "SS1" and "SS2" (the names by which Connection Server recognizes Security Servers)?

Thanks in advance!