TLS

SSL overview

Server-Only Authentication

Client-Authenticated

The certificate is nothing more than a document containing the public key the client will use to compute key material and information about expiration, common and distinguished names, contact information, etc.  A certificate can be modified until it is signed.

use a single SSL cert on multiple servers

In fact, most large websites use load-balancing, which distributes the load of the site across multiple servers. There are two ways this can be done. The first is sharing the private key to every server that is going to host the site, the second is to use an SSL proxy that holds the private key on the edge of a private network of servers running the site (or possibly using alternate encrypted communication). Both have their strengths and weaknesses.

The critical part is not the certificate per se, but the private key. The certificate, properly said, contains the public key; the power of the server lies in the corresponding private key. If two servers "share" a certificate, then this means that both servers have access to the private key.

The recommended management method for private keys is to keep them local: the server itself is supposed to generate the key pair (the private and public keys), then send the public key to the CA (as part of a "certificate request") so that the CA may create (and sign) the certificate. The private key, thus, never leaves the server's entrails, and this is good, because the private key must be keptprivate.

When two servers contain the private key, then that key must have travelled at some point. Generically speaking, such key travel is sensitive and dangerous, and shall be done only with great care. Copying the key through SSH (i.e. a scp command) ought to be safe. Alternatively, the private key may be packed with the certificate into a PKCS#12 archive (aka "PFX file") with password-based encryption: this will give decent protection for the key while it transits between the two servers IF the password has enough entropy (so use a big, fat and very random password).

Setting Up SSL proxy for Google Cloud Load Balancing

https://cloud.google.com/compute/docs/load-balancing/tcp-ssl/