Manage certificates for NLB - Server Load Balancer - Alibaba Cloud Documentation Center

When you configure a listener that uses SSL over TCP, you can purchase a certificate from Alibaba Cloud Certificate Management Service or upload the required third-party server certificate and certificate authority (CA) certificate to Alibaba Cloud Certificate Management Service. Then, Network Load Balancer (NLB) obtains and uses the certificates from Certificate Management Service.

Background information

NLB supports one-way authentication and mutual authentication. You can select an authentication method based on your business requirements.

One-way authentication: The client must verify the identity of the server. The server does not need to verify the identity of the client. The client downloads the public key certificate from the server for authentication. A connection can be established only after the identity of the server is verified. When you configure a listener that uses SSL over TCP, you must associate a server certificate with the listener.
Mutual authentication: The client downloads the server certificate (public key certificate) from the server and uploads the client certificate (public key certificate) to the server for authentication. A connection can be established only after the identities of both the client and the server are verified. After mutual authentication is enabled, you must associate a server certificate with the listener. In addition, you must associate a CA certificate with the listener to verify the identity of the client.

Note

If you want to access multiple domain names or add multiple server certificates, you can add additional certificates to the listener that uses SSL over TCP. For more information, see What to do next.

Prerequisites

An NLB instance is created. For more information, see Create and manage an NLB instance.
A server group is created. For more information, see Create and manage a server group.
A server certificate is prepared. A server certificate is purchased or uploaded in the Certificate Management Service console. For more information, see Purchase an SSL certificate and Upload a certificate.
A client certificate is prepared. An intermediate CA certificate is purchased and enabled in the Certificate Management Service console, and at least one private intermediate CA certificate is available. For more information, see Purchase and enable a private CA.

Add a certificate

Log on to the NLB console.
In the top navigation bar, select the region in which the NLB instance is deployed.
On the Instances page, find the NLB instance that you want to manage and use one of the following methods to open the listener configuration wizard:
- Click Create Listener in the Actions column.
- Click the ID of the NLB instance and click the Listener tab. On the Listener tab, click Create Listener above the listener list.
- Click the instance ID. On the instance details page, click Create Listener in the wizard.
- Click the instance ID. In the upper-right corner of the instance details page, click Create Listener.
In the Configure Listener step, set the parameters and click Next.
The following section describes only the key parameters. For more information about how to configure other parameters, see Create a listener that uses SSL over TCP.
Listener Protocol: TCPSSL is selected in this example.
In the Configure SSL Certificate step, select a server certificate from the Server Certificate drop-down list.
If no server certificate is available, click Create SSL Certificate in the drop-down list to go to the Certificate Management Service console. Then, you can purchase or upload a server certificate. For more information, see Purchase an SSL certificate and Upload a certificate.
Optional: Turn on Enable Mutual Authentication in Advanced Settings. Select Alibaba Cloud from the CA Certificate Source drop-down list and select a CA certificate from the Default CA Certificate drop-down list.
Skip this step if you use one-way authentication.
If no CA certificate is available, click Purchase CA Certificate to create one. For more information, see Purchase and enable a private CA.
Note
If you want to disable mutual authentication, perform the following steps:
1. On the Instances page, click the ID of the NLB instance that you want to manage.
2. On the Listener tab, click the ID of the listener that uses SSL over TCP.
3. On the Listener Details tab, go to the SSL Certificate section and disable mutual authentication.
Select a TLS security policy and click Next.
If no TLS security policy is available, click Create TLS Security Policy to create one. For more information, see TLS security policies.
In the Select Server Group step, select Server Type and a backend server group from the Server Type drop-down list, view the backend servers, and then click Next.
In the Configuration Review step, confirm the configurations and click Submit.

What to do next

Log on to the NLB console.
In the top navigation bar, select the region in which the NLB instance is deployed.
On the Instances page, find the NLB instance that you want to manage and click its ID.
On the Instance Details page, click the Listener tab, find the listener that you want to manage, and use one of the following methods to manage certificates:
- In the Actions column, click Manage Certificates.
- Click the ID of the listener. On the Listener Details tab, click Manage Certificates in the SSL Certificate section.

On the Certificates tab, perform the following operations to manage certificates:

Note

To prevent service interruptions, we recommend that you replace your certificates before they expire.

Certificate type	Operation	Description
Server certificate	Change the default server certificate of a listener	On the Server Certificates tab, find the certificate that you want to manage and click Change in the Actions column. In the dialog box that appears, select a server certificate and click OK. If no server certificate is available, click Create SSL Certificate in the drop-down list to go to the Certificate Management Service console. Then, you can purchase or upload a server certificate. For more information, see Purchase an SSL certificate and Upload a certificate.
	Add additional certificates	You can add additional certificates to a listener. You can add up to 25 additional certificates to each NLB instance. You can add up to 15 additional certificates at a time. On the Server Certificates tab, click Add Additional Certificate. In the Add Additional Certificate dialog box, select one or more server certificates and click OK. If no server certificate is available, click Purchase Certificate in the upper-right corner to go to the Certificate Management Service console. Then, you can purchase or upload a server certificate. For more information, see Purchase an SSL certificate and Upload a certificate.
	Delete an additional certificate	You can delete additional server certificates that you no longer use. After an additional server certificate is deleted, it can no longer be used for server authentication. On the Server Certificates tab, find the additional server certificate that you want to delete and click Delete in the Actions column. In the message that appears, click OK.
CA certificate	Enable mutual authentication	Click the CA Certificates tab and turn on Mutual Authentication or click Enable Mutual Authentication. Note You can also enable mutual authentication in the SSL Certificate section of the Listener Details tab. In the dialog box that appears, set the Default CA Certificate parameter and click OK. If no CA certificate is available, click Purchase Certificate to create one. For more information, see Purchase and enable a private CA.
	Change a CA certificate	Click the CA Certificates tab, find the certificate that you want to manage and click Change in the Actions column. In the dialog box that appears, set the Default CA Certificate parameter and click OK. If no CA certificate is available, click Purchase Certificate to create one. For more information, see Purchase and enable a private CA.
	Disable mutual authentication	Click the CA Certificates tab and turn off Mutual Authentication. After you disable mutual authentication, the listener supports only one-way authentication.

References

Tutorials:
- For more information about how to configure NLB and an SSL certificate to perform SSL offloading over TCP while using one-way authentication, see Use NLB to enable SSL offloading over TCP (one-way authentication).
- For more information about how to configure NLB, an SSL certificate, and a CA certificate to perform SSL offloading over TCP while using mutual authentication, see Use NLB to enable SSL offloading over TCP (mutual authentication).
API:
- CreateListener: creates a listener that uses SSL over TCP.
- AssociateAdditionalCertificatesWithListener: associates additional certificates with a listener that uses SSL over TCP.
- DisassociateAdditionalCertificatesWithListener: disassociates an additional certificate from a listener that uses SSL over TCP.