When you configure one-way authentication or mutual authentication (mTLS), you must purchase certificates from Alibaba Cloud Certificate Management Service or upload third-party server certificates and CA certificates. You can then associate the certificates with your listener.
Background
ALB supports one-way authentication and mutual authentication (mTLS). Choose the method that best suits your needs.
One-way authentication: The client authenticates the server, but the server does not authenticate the client. When you configure an HTTPS or QUIC listener, you must associate a server certificate with the listener.
Mutual authentication (mTLS): The client and the server authenticate each other. This ensures secure communication because requests and responses are transmitted only after both parties are authenticated. To enable mTLS, you must associate both a server certificate and a CA certificate with the listener. The CA certificate is used to authenticate the client.
Limitations
Basic Edition ALB instances do not support mutual authentication (mTLS).
QUIC listeners do not support mutual authentication (mTLS).
HTTP listeners do not support one-way authentication or mutual authentication (mTLS).
Certificate types
ALB supports both international standard certificates (RSA/ECC) and SM certificates (SM2).
International standard certificates: These certificates support RSA and ECC algorithms and are suitable for general HTTPS encryption.
SM certificates: These certificates support the Chinese cryptographic algorithm suite, which includes SM2 for signatures and key exchange, SM3 for hashing, and SM4 for data encryption. These certificates are suitable for industries such as finance and government that require compliance with MLPS 2.0 Level 3. To use an SM certificate, you must also select a custom TLS security policy that includes the
ECC-SM2-WITH-SM4-SM3cipher suite.
The SM certificate feature is not enabled by default. To use this feature, you must apply for the required quota in Quota Center.
SM certificates are supported only on upgraded ALB instances, not legacy ones. You can use ALB instance cloning to manually migrate your services from a legacy ALB instance to an upgraded one.
Only Standard Edition and WAF-enabled Edition ALB instances support SM certificates. Basic Edition and Extended Edition instances do not.
SM certificates do not support mutual authentication (mTLS) because CA certificates do not support the SM2 algorithm.
The following table describes the supported listener types, certificate types, and authentication methods.
Listener type | Certificate type | Authentication method | |
One-way authentication | Mutual authentication (mTLS) | ||
HTTPS | Single RSA, ECC, or SM2 certificate | Supported | Supported (RSA, ECC) |
Dual RSA and ECC certificates | Supported | Supported | |
Dual RSA and SM2 certificates | Supported | Not supported | |
Dual ECC and SM2 certificates | Supported | Not supported | |
Mixed RSA, ECC, and SM2 certificates | Supported | Not supported | |
QUIC | Single RSA or ECC certificate | Supported | Not supported |
Dual RSA and ECC certificates | Supported | Not supported | |
HTTP | Certificate configuration is not supported | ||
Certificate matching logic
When a listener has multiple certificates, ALB uses an intelligent certificate selection algorithm that supports Server Name Indication (SNI). If a client's hostname matches a single certificate in the list, ALB selects that certificate. If the hostname matches multiple certificates, ALB selects the best one based on the following priority:
Domain Name Match: Exact matches are preferred over wildcard matches.
Public Key Algorithm: ECDSA (ECC) is preferred over RSA.
Hash Algorithm: The SHA family is preferred over MD5.
Key Length: The certificate with the longest key is preferred.
Validity Period: The certificate with the longest remaining validity period is preferred.
ALB uses the protocol version in the client's TLS handshake to determine whether to use the Chinese national cryptographic protocol (TLCP).
If the client uses the TLCP protocol, ALB prioritizes the SM certificate.
If the client uses the standard TLS protocol, ALB prioritizes an international standard certificate (RSA/ECC).
Prerequisites
You have created an ALB instance of the Standard or WAF-enabled Edition.
You have purchased or uploaded a server certificate in Certificate Management Service.
For mutual authentication, you also need a CA certificate. You can either purchase and enable a subordinate CA certificate in Certificate Management Service (which requires available certificate quota) or upload a self-signed root CA or subordinate CA certificate to the service.
Add a certificate
Log on to the ALB console.
In the top navigation bar, select the region where the ALB instance is deployed.
On the Instances page, find the target instance and click its ID.
Open the listener configuration wizard:
On the Instances page, find the target instance and click Create Listener in the Actions column.
On the Instances page, click the target instance ID. On the Listener tab, click Create Listener.
On the Configure Listener page, configure the following settings and click Next.
This topic describes only the required parameters. For more information, see Add an HTTPS listener.
Listener configuration
Description
Listener Protocol
Select the listener protocol. You can select HTTPS or QUIC.
NoteQUIC listeners do not support mutual authentication (mTLS).
HTTP listeners do not support one-way authentication or mutual authentication (mTLS).
In this example, HTTPS is selected.
Listener Port
Specify a port from 1 to 65535 to receive and forward requests to backend servers. Port 80 is the standard port for HTTP and 443 is the standard for HTTPS.
In this example, 443 is entered.
Listener Name
Enter a custom name for the listener.
Advanced Settings
Click Modify to expand the advanced settings.
In the SSL Certificate step, select a server certificate.
Optional: Turn on Enable Mutual Authentication, and select the source of the CA certificate.
Select Alibaba Cloud as the CA certificate source, and select a CA certificate from the Default CA Certificate drop-down list.
If no CA certificate is available, click Purchase CA Certificate in the drop-down list to create a new CA certificate.
Select Third-party as the CA certificate source, and select a CA certificate from the Default CA Certificate drop-down list.
If no self-signed CA certificate is available, click Upload Self-signed CA Certificate in the drop-down list. On the Certificate Application Repository page, create a repository with Uploaded CA Certificates as the data source. Then, upload a self-signed root CA or a self-signed intermediate CA certificate to the repository.
NoteOnly Standard and WAF-enabled ALB instances support mutual authentication. Basic ALB instances do not.
After you enable mutual authentication, if you need to disable it later, follow these steps:
On the Instances page, click the ID of the target instance.
On the Listener tab, click the ID of the target HTTPS listener.
On the Listener Details tab, turn off the mutual authentication switch in the SSL Certificate section.
Select a TLS Security Policy and click Next.
If no TLS security policy is available, click Create TLS Security Policy in the drop-down list.
A TLS security policy includes the supported TLS protocol versions and cipher suites for HTTPS.
On the Select Server Group page, select a backend server group, view the backend server information, and then click Next.
On the Configuration Review page, review the settings and click Submit.
More operations
Log on to the ALB console.
In the top navigation bar, select the region where the ALB instance is deployed.
On the Instances page, find the target instance and click its ID.
Click the Listener tab. Find the target listener and click Manage Certificates in the Actions column.
On the Certificates page, you can perform the following operations.
NoteTo avoid service disruptions, replace your certificates before they expire.
Certificate category
Actions
Description
Server certificate
Replace the default server certificate
On the Server Certificates tab, find the default server certificate and click Replace in the Actions column.
In the dialog box that appears, select a server certificate and click OK.
If no server certificate is available, click Create SSL Certificate in the drop-down list to go to Certificate Management Service, where you can purchase or upload a server certificate.
Add an additional server certificate
You can add additional certificates to a listener.
On the Server Certificates tab, click Add EV Certificate.
In the Add EV Certificate dialog box, select a server certificate and click OK.
If no server certificates are available, you can click Purchase Certificate in the upper-right corner to go to the Certificate Management Service console, where you can purchase or upload a server certificate.
Delete an additional server certificate
You can delete an additional server certificate. After deletion, it can no longer be used for authentication.
On the Server Certificates tab, find the target additional certificate and click Delete in the Actions column.
In the dialog box that appears, click Delete.
CA certificate
Enable or disable mutual authentication
Enable mutual authentication: If mutual authentication is not yet enabled for the listener, you can enable it by following these steps:
Click the CA Certificate tab and turn on the Mutual Authentication switch, or click Enable Mutual Authentication.
In the Enable Mutual Authentication dialog box, perform one of the following steps:
Set the CA certificate source to Alibaba Cloud, select a CA certificate from the Default CA Certificate drop-down list, and then click OK.
If no CA certificate is available, click Purchase CA Certificate in the drop-down list to create a new CA certificate.
Set the CA certificate source to Third-party, select a CA certificate from the Default CA Certificate drop-down list, and then click OK.
If no self-signed CA certificate is available, click Upload Self-signed CA Certificate in the drop-down list. On the Certificate Application Repository page, create a repository with Uploaded CA Certificates as the data source. Then, upload a self-signed root CA or a self-signed intermediate CA certificate to the repository.
Disable mutual authentication: If you have enabled mutual authentication for the listener, you can click the CA Certificate tab and turn off the Mutual Authentication switch. The listener then reverts to one-way authentication.
Replace the CA certificate
Click the CA Certificate tab. Find the default CA certificate and click Replace in the Actions column.
In the Change Default CA Certificate dialog box, perform one of the following steps based on your business needs:
Set the CA certificate source to Alibaba Cloud, select a CA certificate from the Default CA Certificate drop-down list, and then click OK.
If no CA certificate is available, click Purchase CA Certificate in the drop-down list to create a new CA certificate.
Set the CA certificate source to Third-party, select a CA certificate from the Default CA Certificate drop-down list, and then click OK.
If no self-signed CA certificate is available, click Upload Self-signed CA Certificate in the drop-down list. On the Certificate Application Repository page, create a repository with Uploaded CA Certificates as the data source. Then, upload a self-signed root CA or a self-signed intermediate CA certificate to the repository.
References
Tutorials
Configure end-to-end HTTPS to secure communications: ALB provides end-to-end HTTPS encryption, which secures traffic from clients to ALB and from ALB to backend servers. This enhances the security of sensitive services.
Configure a multi-domain HTTPS website by using a single ALB instance: If you need to forward HTTPS requests for different domain names to different backend servers, you can associate multiple certificates with an HTTPS listener and configure domain-based forwarding rules.
Deploy an HTTPS service that uses mutual authentication: For high-security scenarios such as finance and healthcare, you can use the HTTPS mutual authentication feature of ALB to ensure both clients and servers verify each other's identity, ensuring data transmission security.
API reference
CreateListener: Creates an HTTP, HTTPS, or QUIC listener.
AssociateAdditionalCertificatesWithListener: Adds an additional certificate to an HTTPS or QUIC listener.
DissociateAdditionalCertificatesFromListener: Removes an additional certificate from an HTTPS or QUIC listener.
UpdateListenerAttribute: Modifies the default certificate configuration of an HTTPS or QUIC listener, such as replacing the default certificate or enabling or disabling mutual authentication.