You can associate a certificate in SSL Certificates Service with an ALB listener. You can also upload a server certificate issued by a third party or Certificate Authority (CA) to SSL Certificates Service.

Background information

ALB supports one-way authentication and mutual authentication.
  • One-way authentication: The client must verify the identity of the server. The server does not need to verify the identity of the client. When you configure an HTTPS listener and a QUIC listener, you must associate a server certificate with the listener.
  • Mutual authentication: The client must verify the identity of the server. The server must verify the identity of the client. A connection can be established only after both sides are verified. After mutual authentication is enabled, you must associate a server certificate with the listener. In addition, you must associate a CA certificate with the listener to verify the identity of the client.
    Note
    • ALB instances that are created in the following regions support mutual authentication: Singapore (Singapore) , Indonesia (Jakarta), Germany (Frankfurt), and US (Virginia).
    • QUIC listeners do not support mutual authentication.
    • Basic ALB instances do not support mutual authentication.

Scenarios

  • Scenario 1: Replace a certificate of a listener with a newly created certificate.
  • Scenario 2: Replace a certificate of a listener with an existing certificate in SSL Certificates Service.
  • Scenario 3: Associate an additional certificate with a listener.
  • Scenario 4: Enable or disable mutual authentication.

Procedure

  1. Log on to the ALB console.
  2. On the Instances page, click the ID of the ALB instance that you want to manage.
  3. On the Listener tab, find the listener that you want to manage and click Manage Certificate in the Actions column.
  4. On the Certificates tab, perform the following operations:
    • On the Server Certificates or CA Certificates tab, find the certificate that you want to manage and click Change in the Actions. You can select an existing server certificate from the drop-down list or purchase a certificate.
      Note To prevent service interruptions, we recommend that you replace your certificates before they expire.
    • On the Server Certificates tab, click Add Extended Validation Certificate to associate a certificate with the listener.
    • You can enable or disable mutual authentication on the CA Certificates tab. If this is the first time that you enable mutual authentication for a listener, you must purchase a CA certificate.