To configure one-way or mutual authentication, you can purchase certificates from the Alibaba Cloud SSL Certificates Service or upload server and Certificate Authority (CA) certificates from a third party. Once the certificates are available in the SSL Certificates Service, you can apply them to your Application Load Balancer (ALB) instance.
Background information
ALB supports one-way and mutual authentication. You can select an authentication method based on your requirements.
One-way authentication: The client authenticates the server, but the server does not authenticate the client. To configure one-way authentication, attach a server certificate to an HTTPS or QUIC listener.
Mutual authentication: The client and server authenticate each other. Both parties must be authenticated before requests and responses can be processed. This ensures data security. To enable mutual authentication, attach a server certificate and a CA certificate to the listener. The CA certificate is used to authenticate the client.
Limits
Basic Edition instances do not support mutual authentication.
QUIC listeners do not support mutual authentication.
HTTP listeners do not support one-way or mutual authentication.
Certificate types
ALB supports certificates that use internationally accepted algorithms (RSA/ECC).
Listener type | Certificate type | Certificate authentication method | |
One-way authentication | Mutual authentication | ||
HTTPS | Single RSA and ECC certificate configuration | Supported | Supported |
Dual RSA and ECC certificate configuration | Supported | Supported | |
QUIC | Single RSA and ECC certificate configuration | Supported | Not supported |
Dual RSA and ECC certificate configuration | Supported | Not supported | |
HTTP | Certificate configuration not supported | ||
Prerequisites
You have created an ALB instance of the Standard or WAF-enabled edition.
You have created an active backend server group.
You have purchased or uploaded a server certificate in the SSL Certificates Service.
You have purchased and enabled an intermediate CA certificate in the SSL Certificates Service, and the number of available certificates for the private intermediate CA is not zero. Alternatively, you have uploaded a self-signed root CA or self-signed intermediate CA certificate to the SSL Certificates Service.
Add a certificate
Log on to the ALB console.
In the top menu bar, select the region where the instance is located.
On the Instances page, find the target instance and click its instance ID.
Use one of the following methods to open the listener configuration wizard:
On the Instances page, find the ALB instance that you want to manage and click Create Listener in the Actions column.
On the Instances page, click the ID of the ALB instance that you want to manage. On the Listener tab, click Create Listener.
In the Configure Listener step, configure the required parameters and click Next.
This topic describes only the key parameters. For more information, see Add an HTTPS listener.
Listener Configuration
Description
Listener Protocol
Select the protocol for the listener. You can select HTTPS or QUIC as needed.
NoteQUIC listeners do not support mutual authentication.
HTTP listeners do not support one-way or mutual authentication.
In this example, HTTPS is selected.
Listener Port
Enter the listener port that is used to receive requests and forward them to backend servers. The port number must be between 1 and 65535. Port 80 is used for HTTP and port 443 is used for HTTPS.
In this example, enter 443.
Listener Name
Enter a custom name for the listener.
Advanced Settings
Click Modify to expand the advanced configuration section.
In the Configure SSL Certificate step, select a server certificate.
(Optional) Turn on Enable Mutual Authentication and select a certificate source.
Select Alibaba Cloud as the source of the CA certificate, and select a CA certificate from the Default CA Certificate drop-down list.
If no CA certificate is available, you can click Purchase CA Certificate to create one.
Alternatively, select Third-party as the source of the CA certificate, and select a CA certificate from the Default CA Certificate drop-down list.
If no self-signed CA certificate is available, click Upload Self-signed CA Certificate in the drop-down list. On the Certificate Application Repository page, create a repository with Uploaded CA Certificates as Data Source. Then, upload self-signed root CA certificates or intermediate CA certificates to the repository.
Select a TLS security policy and click Next.
If no TLS security policy is available, click Create TLS Security Policy to create one.
A TLS security policy contains TLS protocol versions and cipher suites that are available for HTTPS listeners.
In the Select Server Group step, select a server group, view the backend servers, and then click Next.
In the Confirm step, confirm the configurations and click Submit.
More operations
Log on to the ALB console.
In the top menu bar, select the region where the instance is located.
On the Instances page, find the target instance and click its instance ID.
On the Listener tab, find the target listener and click Manage Certificates in the Actions column.
On the Certificates tab, perform the necessary operations.
NoteTo prevent service disruptions, replace the certificate before it expires.
Certificate category
Operation
Description
Server certificate
Replace the default server certificate for the listener
On the Server Certificates tab, find the default server certificate for the listener and click Replace in the Actions column.
In the dialog box that appears, select a server certificate and click OK.
If no server certificate is available, click Create SSL Certificate in the drop-down list to go to the Certificate Management Service console. Then, you can purchase or upload a server certificate.
Add an additional server certificate
You can add additional certificates to the listener.
On the Server Certificates tab, click Add EV Certificate.
In the Add Additional Certificate dialog box, select a server certificate and click OK.
If no server certificate is available, click Purchase Certificate in the upper-right corner to go to Certificate Center. In Certificate Center, purchase or upload a server certificate.
Delete an additional server certificate
You can delete additional server certificates that are no longer needed. After a certificate is deleted, it can no longer be used by the listener.
On the Server Certificates tab, find the target additional certificate and click Delete in the Actions column.
In the dialog box that appears, click Delete.
CA certificate
Enable or disable mutual authentication
Enable mutual authentication: If you have not enabled mutual authentication for the listener, you can enable it.
Click the CA Certificates tab and turn on the Mutual Authentication switch, or click Enable Mutual Authentication.
In the Enable Mutual Authentication dialog box, perform one of the following steps based on your business needs.
Set Source of CA Certificate to Alibaba Cloud, select a CA certificate from the Default CA Certificate drop-down list, and then click OK.
If no CA certificates are available, click Purchase CA Certificate in the drop-down list to create a new CA certificate.
Set Source of CA Certificate to Third-party, select a CA certificate from the Default CA Certificate drop-down list, and then click OK.
If no self-signed CA certificates are available, click Upload Self-signed CA Certificate in the drop-down list. On the Certificate Application Repository page, create a repository and set its data source to Upload CA Certificate. Then, upload a self-signed root CA certificate or a self-signed intermediate CA certificate from the repository.
Disable mutual authentication: If mutual authentication is enabled for the listener, you can click the CA Certificates tab and turn off the Mutual Authentication switch. After it is disabled, the listener supports only one-way authentication.
Replace the CA certificate
Click the CA Certificates tab. Find the default CA certificate for the listener and click Change in the Actions column.
In the Change Default CA Certificate dialog box, perform one of the following steps based on your business needs.
Set Source of CA Certificate to Alibaba Cloud, select a CA certificate from the Default CA Certificate drop-down list, and then click OK.
If no CA certificates are available, click Purchase CA Certificate in the drop-down list to create a new CA certificate.
Set Source of CA Certificate to Third-party, select a CA certificate from the Default CA Certificate drop-down list, and then click OK.
If no self-signed CA certificates are available, click Upload Self-signed CA Certificate in the drop-down list. On the Certificate Application Repository page, create a repository and set its data source to Upload CA Certificate. Then, upload a self-signed root CA certificate or a self-signed intermediate CA certificate from the repository.
References
Tutorials
Configure end-to-end data transfer over HTTPS: ALB provides end-to-end data transfer over HTTPS. This feature encrypts data from clients to ALB and from ALB to backend servers to improve the security of sensitive services.
Configure an HTTPS website that uses multiple domain names on a single ALB instance: To forward HTTPS requests for different domain names to different backend servers, you can attach multiple certificates to an ALB HTTPS listener and configure domain name-based forwarding rules.
Deploy an HTTPS service that uses mutual authentication on ALB: In high-security scenarios, such as the finance and healthcare industries, you can use the mutual authentication feature of ALB to implement mutual identity verification between clients and servers. This ensures secure data transfer.
API reference
CreateListener: Create an HTTP, HTTPS, or QUIC listener.
AssociateAdditionalCertificatesWithListener: Add additional certificates to an HTTPS or QUIC listener.
DissociateAdditionalCertificatesFromListener: Remove additional certificates from an HTTPS or QUIC listener.
UpdateListenerAttribute: Modify the default certificate configuration of an HTTPS or QUIC listener. For example, you can replace the default certificate or enable or disable mutual authentication.