You can associate a certificate in Certificate Management Service with an ALB listener. You can also upload a server certificate issued by a third party or a certificate issued by a certificate authority (CA) to Certificate Management Service.

Background information

ALB supports one-way authentication and mutual authentication.
  • One-way authentication: The client must verify the identity of the server. The server does not need to verify the identity of the client. When you configure an HTTPS listener or a QUIC listener, you must associate a server certificate with the listener.
  • Mutual authentication: The client must verify the identity of the server. The server must verify the identity of the client. A connection can be established only after both sides are authenticated. After mutual authentication is enabled, you must associate a server certificate with the listener. In addition, you must associate a CA certificate with the listener to verify the identity of the client.

Limits

  • Basic ALB instances do not support mutual authentication.
  • QUIC listeners do not support mutual authentication.
  • HTTP listeners do not support one-way authentication or mutual authentication.

Prerequisites

Add a certificate

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region where the ALB instance is deployed.
  3. On the Instances page, find the ALB instance that you want to manage and click its ID.
  4. Use one of the following methods to open the listener configuration wizard:
    • On the Instances page, find the ALB instance that you want to manage and click Create Listener in the Actions column.
    • On the Instances page, click the ID of the ALB instance that you want to manage. On the Listener tab, click Create Listener.
  5. On the Configure Listener wizard page, set the following parameters and click Next.
    In this example, only the parameters that are related to the listener are set. For more information about the other parameters, see Add an HTTPS listener.
    Parameter Description
    Listener Protocol Select a protocol for the listener. You can select HTTPS or QUIC based on your business requirements.
    Note
    • QUIC listeners do not support mutual authentication.
    • HTTP listeners do not support one-way authentication or mutual authentication.
    HTTPS is selected in this example.
    Listener Port Specify the port on which the ALB instance listens. The ALB instance listens for requests on the specified port and then forwards the requests to backend servers. Valid values: 1 to 65535. In most cases, port 80 is used for HTTP and port 443 is used for HTTPS.

    Port 443 is used in this example.

    Listener Name Enter a name for the listener.
    Advanced Settings You can click Modify to configure the advanced settings.
  6. On the Configure SSL Certificates wizard page, select the certificate that you want to use and click Modify next to Advanced Settings.
  7. Turn on Enable Mutual Authentication, select the CA certificate, select a TLS security policy, and then click Next.
  8. On the Select Server Group wizard page, specify Server Type and select a server group based on the specified Server Type, confirm the backend servers, and then click Next.
  9. On the Confirm wizard page, confirm the configurations and click Submit.

What to do next

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region where the ALB instance is deployed.
  3. On the Instances page, find the ALB instance that you want to manage and click its ID.
  4. On the Listener tab, find the listener that you want to manage and click Manage Certificate in the Actions column.
  5. On the Certificates tab, you can perform the following operations based on your business requirements.
    Note To prevent service interruptions, we recommend that you replace your certificates before they expire.
    Operation Description
    Replace the default server certificate
    1. Click the Server Certificates tab, find the default certificate and click Change in the Actions column.
    2. In the dialog box that appears, select or purchase a certificate and click OK.
    Add an additional server certificate You can add an additional server certificate to a listener.
    1. Click the Server Certificates tab and click Add Additional Certificate.
    2. In the Add Additional Certificate dialog box, select a certificate and click OK.
    Delete an additional server certificate You can delete additional server certificates that you no longer use. After an additional server certificate is deleted, it can no longer be used for server authentication.
    1. Click the Server Certificates tab, find the additional certificate that you want to delete and click Delete in the Actions column.
    2. In the message that appears, click OK.
    Enable or disable mutual authentication You can enable or disable mutual authentication based on your business requirements. If this is the first time that you enable mutual authentication for a listener, you must purchase a CA certificate.
    • Enable mutual authentication: If this is the first time that you enable mutual authentication, perform the following steps:
      1. Click the CA Certificates tab, and turn on Mutual Authentication or click Enable Mutual Authentication.
      2. In the Enable Mutual Authentication dialog box, select or purchase a CA certificate and click OK.
    • Disable mutual authentication: If mutual authentication is enabled for a listener, click the CA Certificates tab and turn off Mutual Authentication. After mutual authentication is disabled, only one-way authentication is supported.
    Replace a CA certificate
    1. Click the CA Certificates tab, find the default CA certificate and click Change in the Actions column.
    2. In the dialog box that appears, select or purchase a CA certificate and click OK.

References