Your application is hosted in an EC2 instance behind an application load balancer.
The SSL traffic is terminated at the load balancer.
A certificate for the domain name www.example1.com was requested from AWS Certificate Manager (ACM) and installed in the ALB listener. Now the application needs to use another certificate to handle a different domain (www.example2.com)
Which of the following options is the easiest solution to install the certificate?
Click on the arrows to vote for the correct answer
A. B. C. D. E.Answer: B.
Option A is incorrect because, with this method, you have to maintain another set of application load balancers and target groups.
You may also need to adjust your automation scripts, such as CloudFormation templates to maintain such changes on your AWS infrastructure.
Option B is CORRECT because the second certificate can be installed directly on the ALBlistener, and you can bind up to 25 certificates per load balancer.
You can now host multiple TLS secured applications, each with its own TLS certificate, behind a single load balancer.
In order to use SNI, all you need to do is to bind multiple certificates to the same secure listener on your load balancer.
ALB will automatically choose the optimal TLS certificate for each client.
Option C is incorrect because there is no need to remove the first certificate from the ELB, and the SSL traffic should still be terminated at ALB.Option D is incorrect because it requires additional configurations in NGINX on the EC2 instance to achieve the requirements.
Reference:
https://aws.amazon.com/blogs/aws/new-application-load-balancer-sni/.The correct option to install the second certificate for the different domain name in the given scenario is option B: Install the second certificate (www.example2.com) at the same application load balancer with Smart Selection Using SNI.
Explanation: An application load balancer (ALB) terminates SSL traffic for an application and supports SSL/TLS termination using a certificate installed on the listener. The SSL/TLS certificate installed on the listener is used to decrypt the SSL/TLS traffic received by the ALB.
To install a different certificate for a new domain name (www.example2.com), the easiest solution is to use Smart Selection Using SNI (Server Name Indication) with the existing ALB. SNI allows an ALB to use multiple SSL/TLS certificates on the same listener and differentiate traffic based on the domain name requested by the client.
Here are the steps to install the second certificate with SNI:
Option A: Creating another application load balancer and installing the second certificate is a viable solution, but it is not the easiest solution. This option requires additional configuration, management, and cost.
Option C: Deleting the first certificate from the ALB and removing SSL termination at the EL (Elastic Load Balancer) is not a viable solution because it would make the application insecure and non-compliant with security best practices.
Option D: Installing both certificates on the EC2 instance(s) is not a viable solution because it does not provide SSL/TLS termination at the load balancer level, which is required for scalability, availability, and security.
Option E: Configuring an NGINX server on the EC2 instance(s) and installing both certificates is a viable solution, but it is not the easiest solution. This option requires additional configuration, management, and cost, and it also introduces a single point of failure and potential performance bottleneck.