How to Configure Multiple SSL Certificates on an Application Load Balancer
Question
You use an application load balancer to distribute traffic to your backend servers hosted on EC2
As the application serves two domain names, you have applied for two certificates in AWS Certificate Manager. Now you want to install both certificates in the application load balancer.
You are sure that the clients support Server Name Indication (SNI). How would you configure the certificates on the application load balancer in the most cost-efficient way?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: B.
Option A is incorrect because you cannot create two HTTPS listeners who listen to the same port in the application load balancer.
Option B is CORRECT because multiple certificates can be installed on the HTTPS listener.
The application load balancer supports SNI, and it can choose a certificate for a client automatically.
Option C is incorrect because you do not need to create two application load balancers for this scenario as it would not be the most cost-efficient solution.
Option D is incorrect because certificates should be installed on the listener rather than the target group.
Reference:
https://aws.amazon.com/blogs/aws/new-application-load-balancer-sni/ https://aws.amazon.com/premiumsupport/knowledge-center/acm-add-domain-certificates-elb/.![Create Load Balancer Actions v
Q Filter by tags and attributes or search by keyword
@ Name « DNS name ~ State
@ = TestALB Test? EME -sout.... provisioning
Load balancer: |] TestALB
Description Listeners Monitoring Integrated services Tags
Availability Zones
ap-southeast-2a, ap-so...
oO
1 to 1 of1
Type
application
* ©
A listener checks for connection requests using its configured protocol and port, and the load balancer uses the listener rules to route requests to targets. You can add, remove, or
update listeners and listener rules.
Add listener
Listener ID Security policy SSL Certificate
HTTPS : 443 ELBSecurityPolicy-2016-08 Default: bbe499c7 Ses (ACI)
2 ~
View/edit certificates
Rules
View/edit rules
Default: forwarding to TG1](https://eaeastus2.blob.core.windows.net/optimizedimages/static/images/AWS-Certified-Security-Specialty/answer/imgckeditor_16.png)
The correct answer is B. Add both certificates to the application load balancer listener as it supports multiple TLS certificates using SNI.
When you have multiple domain names for a single application load balancer, you need to have separate SSL/TLS certificates for each domain name. AWS Certificate Manager (ACM) is a service that helps you to manage and deploy SSL/TLS certificates for your AWS resources.
To configure the certificates in the most cost-efficient way, you can use a single HTTPS listener on your application load balancer and add both certificates to it. This approach is cost-efficient because you can use a single listener instead of two listeners, and you don't need to create multiple application load balancers.
The Application Load Balancer (ALB) supports Server Name Indication (SNI), which is a protocol extension that allows a single HTTPS listener to support multiple SSL/TLS certificates for multiple domain names. With SNI, the client can specify the domain name during the TLS handshake, and the ALB can select the appropriate certificate to use for that domain.
To add multiple SSL/TLS certificates to an ALB listener, follow these steps:
- Create an HTTPS listener on your ALB.
- In the listener configuration, select "Multiple TLS Certificates" under the "SSL/TLS Certificates" section.
- Click "Add Certificate" and select the first certificate from ACM.
- Repeat step 3 for the second certificate from ACM.
- Save the listener configuration.
After configuring the listener with both certificates, the ALB will automatically use the appropriate certificate for each incoming request based on the SNI value in the TLS handshake.
Therefore, option B is the correct answer for configuring multiple certificates in a single listener in the most cost-efficient way.