Introduction to Certificates

ELB supports three types of certificates. If you need an HTTPS listener, you need to bind a server certificate to it. To enable mutual authentication, you also need to bind a CA certificate to the listener.

Server SM certificates: To support Chinese cryptographic algorithms, two certificates that must be used together are required, one signing certificate and one encryption certificate.
- Signing certificate: This certificate is used only for identity authentication. The public and private keys are generated and kept by the server, rather than the CA.
- Encryption certificate: This certificate is used for key negotiation. The public and private keys are generated and kept by the CA.

Precautions

A certificate can be used by multiple load balancers but only needs to be uploaded to each load balancer once.
You must specify a domain name for an SNI certificate. The domain name must be the same as that in the certificate. Only one domain name can be specified for each SNI certificate..
For each certificate type, a listener can have only one certificate by default, but a certificate can be bound to more than one listener. If SNI is enabled for the listener, multiple server certificates can be bound.
Only original certificates are supported. That is to say, you cannot encrypt your certificates.
You can use self-signed certificates. However, note that self-signed certificates pose security risks. Therefore, it is recommended that you use certificates issued by third parties.
ELB supports certificates only in PEM format. If you have a certificate in any other format, you must convert it to a PEM-encoded certificate.
If a certificate has expired, you need to manually replace or delete it.

Parent topic: Certificate

Previous topic: Certificate

Next topic: Certificate and Private Key Format