Help Center/ Elastic Load Balance/ User Guide/ User Guide for Dedicated Load Balancers/ Security/ SNI Certificate
Updated on 2024-09-20 GMT+08:00
View PDF
Share

SNI Certificate

Server Name Indication (SNI) is an extension of the Transport Layer Security (TLS) protocol. It is used when a server uses multiple domain names and certificates.

Scenarios

If you have an application that can be accessed through multiple domain names and each domain name uses a different certificate, you can enable SNI when you add an HTTPS listener.

After SNI is enabled, you need to select SNI certificates based on the domain names. The client submits the requested domain name while sending an SSL handshake. Once receiving the request, the load balancer searches for the certificate based on the domain name. If the certificate is found, this certificate will be used for authentication. If no SNI certificates are found, the server certificate is used for authentication.

Notes and Constraints

  • SNI can be only enabled for HTTPS and TLS listeners.
  • After SNI is enabled, select an SNI certificate by referring to Adding a Certificate.
  • If a certificate has expired, you need to manually replace or delete it by following the instructions in Binding or Replacing a Certificate.
  • An HTTPS listener can have up to 30 SNI certificates. All the certificates can have up to 30 domain names.

    All listeners of a dedicated load balancer can have up to 50 SNI certificates. You can submit a service ticket to increase the quota.

Restrictions

  • You must specify at least one domain name for each SNI certificate. The domain name must be the same as that in the certificate.
  • A domain name can be used by both an ECC certificate and an RSA certificate. If there are two SNI certificates that use the same domain name, the ECC certificate is displayed preferentially.

How SNI Certificates and Domain Names Are Matched

  • Domain names in an SNI certificate are matched as follows:

    If the domain name of the certificate is *.test.com, a.test.com and b.test.com are supported, but a.b.test.com and c.d.test.com are not supported.

    The domain name with the longest suffix is matched. If a certificate contains both *.b.test.com and *.test.com, a.b.test.com preferentially matches *.b.test.com.

  • As shown in Figure 1, cert-default is the default certificate bound to the HTTPS listener, and cert-test01 and cert-test02 are SNI certificates.

    The domain name of cert-test01 is www.test01.com and that of cert-test02 is www.test02.com.

    If the requested domain name matches either of the domain names, the corresponding SNI certificate will be used for authentication. If no domain name is matched, the default server certificate is used for authentication.
    Figure 1 Configuring certificates

Enabling SNI for an HTTPS Listener

  1. Go to the load balancer list page.
  1. On the displayed page, locate the load balancer and click its name.
  2. Click Listeners, locate the listener, and click its name.
  3. On the Summary tab, click Configure on the right of SNI.
  4. Enable SNI and select an SNI certificate.
    Figure 2 Configuring an SNI certificate
  5. Click OK.
Parent Topic: Security