Skip to Content
Application Load Balancer ALBOperation GuideListenersListener Certificates

Listener Certificate

When creating an HTTPS listening, users are allowed to bind an HTTPS certificate.

Bind Certificate

  1. Log in to the ALB console.
  2. On the top menu bar, select the region where your ALB instance is located.
  3. Choose either of the following methods to open the listening configuration.
    1. On the Instance List page, click Listener Management in the Operation column of the target instance.
    2. On the Instance List page, click the target instance ID or details. On the Listener Management tab, enter the listener detail page.
  4. On the Listener Details page, select the “UCert” tab.

img

  1. Click Bind Certificate on the top left corner. On the “Bind Certificate” page, select the needed certificate and then click “confirm”.

Unbind Certificate

The certificate selected when creating an HTTPS listener is the default one which can only be replaced, but not unbound.

  1. Log in to the ALB console.
  2. On the top menu bar, select the region where your ALB instance is located.
  3. Choose either of the following methods to open the listening configuration.
    1. On the Instance List page, click Listener Management in the Operation column of the target instance.
    2. On the Instance List page, click the target instance ID or details. On the Listener Management tab, enter the listener details page.
  4. On the Listener Details page, select the “UCert” tab.
  5. Select the certificate you want to unbind and click the Unbind button.

​ 6. In the pop-up window that appears, click “Confirm” to complete the unbind operation.

SNI Certificate

The HTTPS listener supports binding multiple certificates, enabling the same listener to automatically select a certificate according to multiple domain names to meet the requirements of HTTPS authentication and access to the backend. After the load balancer receives an HTTPS request, it will search for a certificate based on the domain name. If it finds a certificate corresponding to the domain name, it will return that certificate; if it fails to find a certificate corresponding to the domain name, it will return the default certificate.

Usage Restrictions

  • An instance supports binding a maximum of 25 SNI certificates, excluding the default certificate.
  • A certificate can only be bound to a listener once and cannot be bound repeatedly.

SNI Certificate Matching Rules

  • If the request sent by the client matches one of the certificates in the certificate list, ALB will select this certificate. If the request sent by the client matches multiple certificates in the certificate list, the load balancer will determine the priority based on the binding time. The certificate with the latest binding time has the highest priority.
  • If no certificate corresponding to the domain name is matched, the default certificate will be matched. The default certificate cannot be deleted and only supports binding changes.
Content ForwardingTLS Security Policies