All Products
Search
Document Center

Server Load Balancer:Manage certificates

Last Updated:Jan 15, 2024

To configure one-way authentication or mutual authentication for Application Load Balancer (ALB), you must purchase an SSL certificate from Alibaba Cloud or upload a third-party server certificate and a certificate authority (CA) certificate. ALB uses the certificates to perform authentication.

Background information

ALB supports one-way authentication and mutual authentication.

  • One-way authentication: The client must verify the identity of the server. The server does not need to verify the identity of the client. When you configure an HTTPS listener or a QUIC listener, you must associate a server certificate with the listener.

  • Mutual authentication: The client must verify the identity of the server. The server must verify the identity of the client. A connection can be established only after both sides are authenticated. After mutual authentication is enabled, you must associate a server certificate with the listener. In addition, you must associate a CA certificate with the listener to verify the identity of the client.

Limits

  • Basic ALB instances do not support mutual authentication.

  • QUIC listeners do not support mutual authentication.

  • HTTP listeners do not support one-way authentication or mutual authentication.

Prerequisites

Add a certificate

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region where the ALB instance is deployed.

  3. On the Instances page, click the ID of the ALB instance that you want to manage.

  4. Use one of the following methods to open the listener configuration wizard:

    • On the Instances page, find the ALB instance that you want to manage and click Create Listener in the Actions column.

    • On the Instances page, click the ID of the ALB instance that you want to manage. On the Listener tab, click Create Listener.

  5. In the Configure Listener step, set the following parameters and click Next.

    The following table describes only the key parameters. For more information about the other parameters, see Add an HTTPS listener.

    Parameter

    Description

    Listener Protocol

    Select a listener protocol. You can select HTTPS or QUIC based on your business requirements.

    Note
    • QUIC listeners do not support mutual authentication.

    • HTTP listeners do not support one-way authentication or mutual authentication.

    In this example, HTTPS is selected.

    Listener Port

    Select the port on which the ALB instance listens. The ALB instance listens for requests on the specified port and then forwards the requests to backend servers. Valid values: 1 to 65535. In most cases, port 80 is used for HTTP and port 443 is used for HTTPS.

    Port 443 is used in this example.

    Listener Name

    Enter a name for the listener.

    Advanced Settings

    You can click Modify to configure the advanced settings.

  6. In the SSL Certificate step, select a server certificate.

    If no server certificate is available, click Create SSL Certificate in the drop-down list to go to the Certificate Management Service console. Then, you can purchase or upload a server certificate. For more information, see Purchase an SSL certificate and Upload an SSL certificate.

  7. To enable mutual authentication or configure a TLS security policy, click Modify next to Advanced Settings.

  8. Turn on Enable Mutual Authentication in the Advanced Settings section. Select Alibaba Cloud from the CA Certificate Source drop-down list and select a CA certificate from the Default CA Certificate drop-down list.

    If no CA certificate is available, click Purchase CA Certificate to create one. For more information, see Purchase and enable a private CA.

    Note
    • Only standard and WAF-enabled ALB instances support mutual authentication. Basic ALB instances do not support mutual authentication.

    • If you want to disable mutual authentication after you enable this feature, perform the following operations:

      1. On the Instances page, click the ID of the NLB instance that you want to manage.

      2. On the Listener tab, click the ID of the HTTPS listener that you want to manage.

      3. On the Listener Details tab, disable mutual authentication in the SSL Certificate section.

  9. Select a TLS security policy and click Next.

    If no TLS security policy is available, click Create TLS Security Policy to create one.

    A TLS security policy contains TLS protocol versions and cipher suites that are available for HTTPS listeners. For more information, see TLS security policies.

  10. In the Select Server Group step, select a server group, view the backend servers, and then click Next.

  11. In the Confirm step, confirm the configurations and click Submit.

More

  1. Log on to the ALB console.
  2. In the top navigation bar, select the region where the ALB instance is deployed.

  3. On the Instances page, click the ID of the ALB instance that you want to manage.

  4. On the Listener tab, find the listener that you want to manage and click Manage Certificates in the Actions column.

  5. On the Certificates tab, you can perform the following operations based on your business requirements.

    Note

    We recommend that you renew your certificate before it expires to prevent adverse impact on your services.

    Certificate type

    Operation

    Procedure

    Server certificate

    Replace the default server certificate

    1. On the Server Certificates tab, find the default server certificate and click Change in the Actions column.

    2. In the dialog box that appears, select a server certificate and click OK.

      If no server certificate is available, click Create SSL Certificate in the drop-down list to go to the Certificate Management Service console. Then, you can purchase or upload a server certificate. For more information, see Purchase an SSL certificate and Upload an SSL certificate.

    Add an additional server certificate

    You can add an additional server certificate to a listener.

    1. On the Server Certificates tab, click Add EV Certificate.

    2. In the Add Additional Certificate dialog box, select a server certificate and click OK.

      If no server certificate is available, you can click Purchase Certificate in the upper-right corner to go to the Certificate Management Service console. Then, you can purchase or upload a server certificate. For more information, see Purchase an SSL certificate and Upload an SSL certificate.

    Delete an additional server certificate

    You can delete additional server certificates that you no longer use. After an additional server certificate is deleted, it can no longer be used for server authentication.

    1. On the Server Certificates tab, find the server certificate that you want to delete and click Delete in the Actions column.

    2. In the message that appears, click OK.

    CA certificate

    Enable or disable mutual authentication

    • Enable mutual authentication: If this is the first time that you enable mutual authentication, perform the following steps:

      1. Click the CA Certificates tab, and turn on Mutual Authentication or click Enable Mutual Authentication.

      2. In the Enable Mutual Authentication dialog box, select Alibaba Cloud as the source of the CA certificate, select a CA certificate from the Default CA Certificate drop-down list, and then click OK.

        If no CA certificate is available, click Purchase CA Certificate to create one. For more information, see Purchase and enable a private CA.

    • Disable mutual authentication: If mutual authentication is enabled for a listener, click the CA Certificates tab and turn off Mutual Authentication. After mutual authentication is disabled, only one-way authentication is supported.

    Replace a CA certificate

    1. Click the CA Certificates tab, find the default CA certificate and click Change in the Actions column.

    2. In the Change Default CA Certificate dialog box, select Alibaba Cloud as the source of the CA certificate, select a CA certificate from the Default CA Certificate drop-down list, and then click OK.

      If no CA certificate is available, click Purchase CA Certificate to create one. For more information, see Purchase and enable a private CA.

References