When you configure an ALB listener, you can use an existing certificate in SSL Certificates Service. You can also upload the required server certificate issued by a third party or the required certificate authority (CA) certificate to SSL Certificates Service.

Background information

ALB supports one-way authentication and mutual authentication.
  • One-way authentication: The client must verify the identity of the server. However, the server does not need to verify the identity of the client. When you configure an HTTPS listener and a QUIC listener, you must associate a server certificate with the listener.
  • Mutual authentication: The client must verify the identity of the server, and the server must also verify the identity of the client. A request can be sent and a response can be returned after the mutual authentication succeeds. After mutual authentication is enabled, you must associate a CA certificate and a server certificate with the listener to verify the identity of the client.
    Note
    • The mutual authentication supports region, see Release notes.
    • You cannot configure mutual authentication for QUIC listeners.

Scenarios

  • Scenario 1: Create a certificate. Create a certificate, and then replace a certificate that is associated with a listener with the new certificate.
  • Scenario 2: Change a certificate. Replace a certificate that is associated with a listener with another existing certificate in the system.
  • Scenario 3: Add an extended validation certificate. Add a server certificate that is to be associated with a listener.
  • Scenario 4: Configure mutual authentication. Enable or disable mutual authentication.

Procedure

  1. Log on to the ALB console.
  2. On the Instances page, click the ID of the ALB instance that you want to manage.
  3. On the Listener tab, click Manage Certificate in the Actions column that corresponds to the listener that you want to manage.
  4. On the Certificates tab, perform the following operations:
    • On the Server Certificates or CA Certificates tab, click Change in the Actions column that corresponds to the certificate that you want to change. Select an existing server certificate from the certificate drop-down list. You can also purchase a new certificate.
      Note To avoid service interruptions, we recommend that you replace a certificate before the certificate expires.
    • On the Server Certificates tab, click Add Extended Validation Certificate to add a certificate that is to be associated with the listener.
    • On the CA Certificates tab, turn on or turn off Mutual Authentication. If mutual authentication is enabled for the listener for the first time, you must purchase a CA certificate.