Updated on 2024-04-18 GMT+08:00

Introduction to Certificates

ELB supports three types of certificates. If you need an HTTPS listener, you need to bind a server certificate to it. To enable mutual authentication, you also need to bind a CA certificate to the listener.
  • Server SM certificates: To support Chinese cryptographic algorithms, two certificates that must be used together are required, one signing certificate and one encryption certificate.
    • Signing certificate: This certificate is used only for identity authentication. The public and private keys are generated and kept by the server, rather than the CA.
    • Encryption certificate: This certificate is used for key negotiation. The public and private keys are generated and kept by the CA.

Precautions

  • A certificate can be used by multiple load balancers but only needs to be uploaded to each load balancer once.
  • You must specify a domain name for an SNI certificate. The domain name must be the same as that in the certificate. Only one domain name can be specified for each SNI certificate..
  • For each certificate type, a listener can have only one certificate by default, but a certificate can be bound to more than one listener. If SNI is enabled for the listener, multiple server certificates can be bound.
  • Only original certificates are supported. That is to say, you cannot encrypt your certificates.
  • You can use self-signed certificates. However, note that self-signed certificates pose security risks. Therefore, it is recommended that you use certificates issued by third parties.
  • ELB supports certificates only in PEM format. If you have a certificate in any other format, you must convert it to a PEM-encoded certificate.
  • If a certificate has expired, you need to manually replace or delete it.