Server Load Balancer:Manage certificates

Limits

• Basic ALB instances do not support mutual authentication.
• QUIC listeners do not support mutual authentication.
• HTTP listeners do not support one-way authentication or mutual authentication.

Prerequisites

• A standard or WAF-enabled ALB instance is created. For more information, see Create an ALB instance.
• A server group is created. For more information about, see Create and manage a server group.
• A server certificate is purchased or uploaded in the Certificate Management Service console. For more information, see Purchase an SSL certificate and Upload an SSL certificate.
• An intermediate CA certificate is purchased in the Certificate Management Service console, and at least one private intermediate CA certificate is available. For more information, see Purchase and enable a private CA.

Add a certificate

1. Log on to the ALB console.
2. In the top navigation bar, select the region where the ALB instance is deployed.
3. On the Instances page, find the ALB instance that you want to manage and click its ID.
4. Use one of the following methods to open the listener configuration wizard:
   • On the Instances page, find the ALB instance that you want to manage and click Create Listener in the Actions column.
   • On the Instances page, click the ID of the ALB instance that you want to manage. On the Listener tab, click Create Listener.
5. On the Configure Listener wizard page, set the following parameters and click Next.
   In this example, only the parameters that are related to the listener are set. For more information about the other parameters, see Add an HTTPS listener.

   Parameter	Description
   Listener Protocol	Select a protocol for the listener. You can select HTTPS or QUIC based on your business requirements. Note QUIC listeners do not support mutual authentication. HTTP listeners do not support one-way authentication or mutual authentication. HTTPS is selected in this example.
   Listener Port	Specify the port on which the ALB instance listens. The ALB instance listens for requests on the specified port and then forwards the requests to backend servers. Valid values: 1 to 65535. In most cases, port 80 is used for HTTP and port 443 is used for HTTPS. Port 443 is used in this example.
   Listener Name	Enter a name for the listener.
   Advanced Settings	You can click Modify to configure the advanced settings.

6. In the Configure SSL Certificates step, select a server certificate.
   If no server certificate is available, you can click Create Certificate in the drop-down list to go to the Certificate Management Service console. Then, you can purchase or upload a server certificate. For more information, see Purchase an SSL certificate and Upload an SSL certificate.
7. To enable mutual authentication or configure a TLS security policy, click Modify next to Advanced Settings.
8. Turn on Enable Mutual Authentication in the Advanced Settings section. Select Alibaba Cloud as the certificate source and select a CA certificate from the Default CA Certificate drop-down list.

   If no CA certificate is available, click Purchase CA Certificate to create one. For more information, see Purchase and enable a private CA.

   Note

   • Only standard and WAF-enabled ALB instances support mutual authentication. Basic ALB instances do not support mutual authentication.
   • If you want to disable mutual authentication after you enable this feature, perform the following operations:
     1. On the Instances page, click the ID of the ALB instance that you want to manage.
     2. On the Listener tab, click the ID of the HTTPS listener that you want to manage.
     3. On the Listener Details tab, disable mutual authentication in the SSL Certificate section.
9. Select a TLS security policy and click Next.
   If no TLS security policy is available, click Create TLS Security Policy to create one. For more information, see TLS security policies.
10. On the Select Server Group wizard page, specify Server Type and select a server group based on the specified Server Type, confirm the backend servers, and then click Next.
11. On the Confirm wizard page, confirm the configurations and click Submit.

What to do next

1. Log on to the ALB console.
2. In the top navigation bar, select the region where the ALB instance is deployed.
3. On the Instances page, find the ALB instance that you want to manage and click its ID.
4. On the Listener tab, find the listener that you want to manage and click Manage Certificate in the Actions column.
5. On the Certificates tab, you can perform the following operations based on your business requirements.
   Note To prevent service interruptions, we recommend that you replace your certificates before they expire.

   Operation	Description
   Replace the default server certificate	Click the Server Certificates tab, find the default certificate and click Change in the Actions column. In the dialog box that appears, select a server certificate and click OK. If no server certificate is available, you can click Create Certificate in the drop-down list to go to the Certificate Management Service console. Then, you can purchase or upload a server certificate. For more information, see Purchase an SSL certificate and Upload an SSL certificate.
   Add an additional server certificate	You can add an additional server certificate to a listener. Click the Server Certificates tab and click Add EV Certificate. In the Add EV Certificate dialog box, select a server certificate and click OK. If no server certificate is available, you can click Create Certificate in the drop-down list to go to the Certificate Management Service console. Then, you can purchase or upload a server certificate. For more information, see Purchase an SSL certificate and Upload an SSL certificate.
   Delete an additional server certificate	You can delete additional server certificates that you no longer use. After an additional server certificate is deleted, it can no longer be used for server authentication. Click the Server Certificates tab, find the additional certificate that you want to delete and click Delete in the Actions column. In the message that appears, click OK.
   Enable or disable mutual authentication	You can enable or disable mutual authentication based on your business requirements. If this is the first time that you enable mutual authentication for a listener, you must purchase a CA certificate. Enable mutual authentication: If this is the first time that you enable mutual authentication, perform the following steps: Click the CA Certificates tab, and turn on Mutual Authentication or click Enable Mutual Authentication. In the Enable Mutual Authentication dialog box, select Alibaba Cloud as the source of the CA certificate, select a CA certificate from the Default CA Certificate drop-down list, and then click OK. If no CA certificate is available, click Purchase CA Certificate to create one. For more information, see Purchase and enable a private CA. Disable mutual authentication: If mutual authentication is enabled for a listener, click the CA Certificates tab and turn off Mutual Authentication. After mutual authentication is disabled, only one-way authentication is supported.
   Replace a CA certificate	Click the CA Certificates tab, find the default CA certificate and click Change in the Actions column. In the Change Default CA Certificate dialog box, select Alibaba Cloud as the source of the CA certificate, select a CA certificate from the Default CA Certificate drop-down list, and then click OK. If no CA certificate is available, click Purchase CA Certificate to create one. For more information, see Purchase and enable a private CA.

References

• CreateListener: creates an HTTP, HTTPS, or QUIC listener.
• AssociateAdditionalCertificatesWithListener: adds an additional certificate to an HTTPS or QUIC listener.
• DissociateAdditionalCertificatesFromListener: deletes an additional certificate from an HTTPS or QUIC listener.