This topic describes how to associate multiple certificates with an HTTPS listener of an Application Load Balancer (ALB) instance to distribute requests destined for different domain names to different NGINX services deployed on backend servers.
Scenario
After ALB receives an HTTPS request, ALB matches the requested domain name against the certificates
that you uploaded. If one of the certificates is matched, ALB sends the request to
a backend server based on the forwarding rule that you configured for the domain name
and then returns the corresponding certificate to the client. If no certificate is
matched, ALB sends the request to a backend server in the default server group and
returns the default certificate to the client. The following configurations are used
in this example:

- The default certificate: default. The default server group: RS1.
- The domain name
example1.com
is associated with the additional certificate example1. Requests destined forexample1.com
are forwarded to RS1. - The domain name
example.org
is associated with the additional certificate example2. Requests destined forexample.org
are forwarded to RS2.

Prerequisites
- An ALB instance is created. For more information, see Create an ALB instance.
- RS1 and RS2 are created. For more information, see Create and manage a server group.
- An Elastic Compute Service (ECS) instance is added to each server group. In this example, ECS01 is added to RS1 and ECS02 is added to RS2. Different NGINX services are deployed on the ECS instances.
- Required certificates are deployed. If the certificates are purchased from a third-party
service provider, you must upload them to Certificate Management Service. In addition,
make sure that the certificates are associated with your domain name. For more information
about how to apply for a certificate, see Submit a certificate application. The following certificates are used in this example:
- The default certificate.
- The extended certificate example1 that is associated with the domain name
example.com
. - The extended certificate example2 that is associated with the domain name
example.org
.
Background information
The number of additional certificates that can be associated with an ALB instance: 10 for a basic ALB instance and 25 for a standard ALB instance. The default certificate is not included in this quota.
Step 1: Create an HTTPS listener
Step 2: Add an additional certificate
- On the Instances page, find the ALB instance that you want to manage and click its ID.
- On the Listener tab, find the HTTPS listener that you created and click Manage Certificate in the Actions column.
- On the Certificates tab, click Add Extended Validation Certificate.
- In the Add Extended Validation Certificate dialog box, select the certificate example1, and click OK. Repeat this step to add the extended certificate example2.
Step 3: Create forwarding rules
Step 4: Create CNAME records
Create CNAME records to map example.com
and example.org
to the publicly accessible domain name of the ALB instance.
- Log on to the ALB console.
- In the top navigation bar, select the region where the ALB instance is deployed.
- Find the ALB instance that you want to manage and copy the domain name.
- To create a CNAME record, perform the following operations:
Step 5: Test connectivity
Enter
example.com
and example.org
in the address bar of a browser to check whether you can access ALB. In this example, NGINX is used to set up two static websites on ECS01 and ECS02.
- In the address bar of the browser, enter the domain name
example.com
, which is associated with the additional certificate example1. If you can access the domain name, it indicates that the request is sent to ECS01 in RS1 based on the forwarding rule that you configured. Test result: - In the address bar of the browser, enter the domain name
example.org
, which is associated with the additional certificate example2. If you can access the domain name, it indicates that the request is sent to ECS02 in RS2 based on the forwarding rule that you configured. Test result: