Help Center> Elastic Load Balance> User Guide> Advanced Features of HTTP/HTTPS Listeners> SNI Certificate
Updated on 2024-01-05 GMT+08:00
View PDF

SNI Certificate

Scenarios

If you have an application that can be accessed through multiple domain names and each domain name uses a different certificate, you can enable Server Name Indication (SNI) when you add an HTTPS listener.

SNI, an extension to Transport Layer Security (TLS), enables a server to present multiple certificates on the same IP address and port number. SNI allows the client to indicate the domain name of the website while sending an SSL handshake request. Once receiving the request, the load balancer queries the right certificate based on the hostname or domain name and returns the certificate to the client. If no certificate is found, the load balancer will return the default certificate.

You can enable SNI only when you add HTTPS listeners. Load balancers can have multiple SNI certificates bound.

Constraints

An HTTPS listener can have up to 30 SNI certificates. All the certificates can have up to 30 domain names.

Listeners of a dedicated load balancer can have up to 50 SNI certificates. You can submit a service ticket to increase the quota.

Prerequisites

  • You need to specify a domain name for an SNI certificate. The domain name must be the same as that in the certificate.
  • A domain name can be used by both an ECC certificate and an RSA certificate. If there are two SNI certificates that use the same domain name, the ECC certificate is displayed preferentially.
  • Domain names in an SNI certificate are matched as follows:

    If the domain name of the certificate is *.test.com, a.test.com and b.test.com are supported, and a.b.test.com and c.d.test.com are not supported.

    The domain name with the longest suffix is matched: If a certificate contains both *.b.test.com and *.test.com, a.b.test.com preferentially matches *.b.test.com.

  • If a certificate has expired, you need to manually replace or delete it by following the instructions in Replacing the Certificate Bound to a Listener.

Procedure

  1. Log in to the management console.
  2. In the upper left corner of the page, click and select the desired region and project.
  3. Hover on in the upper left corner to display Service List and choose Networking > Elastic Load Balance.
  1. Locate the load balancer and click its name.
  2. Click Listeners, locate the listener, and click its name.
  3. On the Summary tab page, click Edit on the top right.
  4. Enable SNI and select an SNI certificate.
  5. Click OK.