This topic describes how to associate multiple certificates with an HTTPS listener of an Application Load Balancer (ALB) instance to distribute requests destined for different domain names to different NGINX services deployed on backend servers.
Scenario
After ALB receives an HTTPS request, ALB matches the requested domain name against the certificates that you uploaded. If one of the certificates is matched, ALB sends the request to a backend server based on the forwarding rule that you configured for the domain name and then returns the corresponding certificate to the client. If no certificate is matched, ALB sends the request to a backend server in the default server group and returns the default certificate to the client. The following configurations are used in this example:
- The default certificate: default. The default server group: RS1.
- The domain name
example1.com
is associated with the additional certificate example1. Requests destined forexample1.com
are forwarded to RS1. - The domain name
example.org
is associated with the additional certificate example2. Requests destined forexample.org
are forwarded to RS2.

Prerequisites
- An ALB instance is created. For more information, see Create an ALB instance.
- RS1 and RS2 are created. For more information, see Create and manage a server group.
- An Elastic Compute Service (ECS) instance is added to each server group. In this example, ECS01 is added to RS1 and ECS02 is added to RS2. Different NGINX services are deployed on the ECS instances.
- Required certificates are deployed. If the certificates are purchased from a third-party service provider, you must upload them to Certificate Management Service. In addition, make sure that the certificates are associated with your domain name. For more information about how to apply for a certificate, see Submit a certificate application. The following certificates are used in this example:
- The default certificate.
- The extended certificate example1 that is associated with the domain name
example.com
. - The extended certificate example2 that is associated with the domain name
example.org
.
Background information
The number of additional certificates that can be associated with an ALB instance: 10 for a basic ALB instance and 25 for a standard ALB instance. The default certificate is not included in this quota.
Step 1: Create an HTTPS listener
- Log on to the ALB console.
- In the top navigation bar, select the region where the ALB instance is deployed.
- On the Instances page, find the ALB instance that you want to manage and click Create Listener in the Actions column.
- On the Configure Listener wizard page, set the following parameters and click Next. For more information about the other parameters and how to create an HTTPS listener, see Add an HTTPS listener.
- Select Server Certificate: In this example, the default certificate is selected.
- Select Server Group: In this example, RS1 is selected.
Step 2: Add an additional certificate
- On the Instances page, find the ALB instance that you want to manage and click its ID.
- On the Listener tab, find the HTTPS listener that you created and click Manage Certificate in the Actions column.
- On the Certificates tab, click Add Extended Validation Certificate.
- In the Add Extended Validation Certificate dialog box, select the certificate example1, and click OK. Repeat this step to add the extended certificate example2.
Step 3: Create forwarding rules
- On the Instances page, find the ALB instance that you want to manage and click its ID.
- On the Listener tab, find the HTTPS listener that you created and click View/Modify Forwarding Rule in the Actions column.
- On the Forwarding Rules tab, click Add New Rule.
- Configure forwarding rules based on the following information and click OK:
- Set the Domain Name parameter to
example.com
and the Forward parameter to RS1. Set the weight of the server group to 100. - Set the Domain Name parameter to
example.org
and the Forward parameter to RS2. Set the weight of the server group to 100.
Note- ECS instances in a server group that has a higher weight receive more requests. In this example, the default weight 100 is used.
- Valid values: 1 to 100.
- Set the Domain Name parameter to
Step 4: Create CNAME records
Create CNAME records to map example.com
and example.org
to the publicly accessible domain name of the ALB instance.
- Log on to the ALB console.
- In the top navigation bar, select the region where the ALB instance is deployed.
- Find the ALB instance that you want to manage and copy the domain name.
- To create a CNAME record, perform the following operations:
Step 5: Test connectivity
Enter
example.com
and example.org
in the address bar of a browser to check whether you can access ALB. In this example, NGINX is used to set up two static websites on ECS01 and ECS02. - In the address bar of the browser, enter the domain name
example.com
, which is associated with the additional certificate example1. If you can access the domain name, it indicates that the request is sent to ECS01 in RS1 based on the forwarding rule that you configured. Test result: - In the address bar of the browser, enter the domain name
example.org
, which is associated with the additional certificate example2. If you can access the domain name, it indicates that the request is sent to ECS02 in RS2 based on the forwarding rule that you configured. Test result: