The quick answer is that some sort of SSL certificate must be installed on your server(s) if you are not going to perform SSL Offload and want to maintain end-to-end encryption.  But this doesn’t have to be the same SSL cert you install in the load balancer if you don’t want. It can be, and sometimes that is easiest, but it could also be a self-signed certificate. So long as it contains a valid key and has not expired, we will accept it. It is true that some of our competitors require a certificate signed by a CA on your server, but because your server is behind the load balancer and will never be directly accessed by a customer, it isn’t necessary from our perspective. A self-signed can offer the same level of encryption and even has the added bonus of a really long expiration so you don’t have to change it as often. Of course, there are negatives to that too, but how long you push out the expiration is completely up to you.