Updated on 2024-04-19 GMT+08:00

SNI Certificate

Scenarios

If you have an application that can be accessed through multiple domain names and each domain name uses a different certificate, you can enable Server Name Indication (SNI) when you add an HTTPS listener.

SNI, an extension to Transport Layer Security (TLS), enables a server to present multiple certificates on the same IP address and port number. SNI allows the client to indicate the domain name of the website while sending an SSL handshake request. Once receiving the request, the load balancer queries the right certificate based on the hostname or domain name and returns the certificate to the client. If no certificate is found, the load balancer will return the default certificate.

You can enable SNI only when you add HTTPS listeners. Load balancers can have multiple SNI certificates bound.

Constraints

An HTTPS listener can have up to 30 SNI certificates.

Prerequisites

  • You need to specify a domain name for an SNI certificate. The domain name must be the same as that in the certificate.
  • A domain name can be used by both an ECC certificate and an RSA certificate. If there are two SNI certificates that use the same domain name, the ECC certificate is displayed preferentially.
  • If a certificate has expired, you need to manually replace or delete it by following the instructions in Adding, Modifying, or Deleting a Certificate.

Procedure

  1. Log in to the management console.
  2. In the upper left corner of the page, click and select the desired region and project.
  3. Hover on in the upper left corner to display Service List and choose Network > Elastic Load Balance.
  1. Locate the load balancer and click its name.
  2. Click Listeners, locate the listener, and click its name.
  3. On the Summary tab page, click Edit on the top right.
  4. Enable SNI and select an SNI certificate.
  5. Click OK.