SNI Certificate

Scenarios

If you have an application that can be accessed through multiple domain names and each domain name uses a different certificate, you can enable SNI when you add an HTTPS listener.

SNI, an extension to Transport Layer Security (TLS), enables a server to present multiple certificates on the same IP address and port number. After you enable SNI, the client can submit the requested domain name at the start of the SSL handshake. After receiving the request, the load balancer searches for the certificate based on the domain name. If the certificate is found, the load balancer will return it to the client. If the certificate is not found, the load balancer will return the default certificate.

Constraints

• SNI can be only enabled for HTTPS listeners.
• If a certificate has expired, you need to manually replace or delete it by following the instructions in Binding or Replacing a Certificate.
• An HTTPS listener can have up to 30 SNI certificates. All the certificates can have up to 30 domain names.
  

  All listeners of a dedicated load balancer can have up to 50 SNI certificates. You can submit a service ticket to increase the quota.

Prerequisites

• You have created a load balancer by referring to Creating a Dedicated Load Balancer.
• You have created an SNI certificate by referring to Adding a Certificate.
• You have added an HTTPS listener to the load balancer by referring to Adding an HTTPS Listener.

Restrictions

• You must specify at least one domain name for each certificate. The domain name must be the same as that in the certificate.
• A domain name can be used by both an ECC certificate and an RSA certificate. If there are two SNI certificates that use the same domain name, the ECC certificate is displayed preferentially.
• Domain names in an SNI certificate are matched as follows:

  If the domain name of the certificate is *.test.com, a.test.com and b.test.com are supported, but a.b.test.com and c.d.test.com are not supported.

  The domain name with the longest suffix is matched. If a certificate contains both *.b.test.com and *.test.com, a.b.test.com preferentially matches *.b.test.com.

• As shown in Figure 1, cer-default is the default certificate bound to the HTTPS listener, and cert-test01 and cert-test02 are SNI certificates.

  The domain name of cert-test01 is www.test01.com and that of cert-test02 is www.test02.com.

  If the domain name accessing the load balancer matches either of the domain names, the corresponding SNI certificate will be used for authentication. If no domain name is matched, the default certificate will be used for authentication.

  Figure 1 Configuring certificates
  

Enabling SNI for an HTTPS Listener

1. Log in to the management console.
2. In the upper left corner of the page, click and select the desired region and project.
3. Click in the upper left corner to display Service List and choose Networking > Elastic Load Balance.

4. On the Load Balancers page, locate the load balancer and click its name.
5. Click Listeners, locate the listener, and click its name.
6. On the Summary tab, click Configure on the right of SNI.
7. Enable SNI and select an SNI certificate.
   Figure 2 Configuring an SNI certificate
   
8. Click OK.