Docs
ulb
Application Load Balancer ALB
Operation Guide
Listeners
Listener Certificates

Monitor Certificate

When creating an HTTPS listening, users are allowed to bind an HTTPS certificate.

Bind Certificate

  1. Log in to the Application Load Balancer (ALB) console.
  2. On the top menu bar, select the region where your ALB instance is located.
  3. Choose either of the following methods to open the listening configuration.
    1. On the Instance List page, click Listener Management in the Operation column of the target instance.
    2. On the Instance List page, click the target instance ID or details. On the Listener Management tab, enter the listener detail page.
  4. On the Listener Details page, select the Listener Certificate tab.
  1. Click Bind Certificate on the top left corner. On the Bind Certificate page, select the needed certificate and then click OK.

Unbind Certificate

The certificate selected when creating an HTTPS listener is the default one which only supports replacement without unbinding.

  1. Log in to the Application Load Balancer (ALB) console.
  2. On the top menu bar, select the region where your ALB instance is located.
  3. Choose either of the following methods to open the listening configuration.
    1. On the Instance List page, click Listener Management in the Operation column of the target instance.
    2. On the Instance List page, click the target instance ID or details. On the Listener Management tab, enter the listener detail page.
  4. On the Listener Details page, select the Listener Certificate tab.
  5. Select the certificate you want to unbind and click the Unbind button.

​ 6. In the pop-up window that appears, click OK to complete the unbind operation.

SNI Certificate

HTTPS listener supports binding to multiple certificates, thus having one listener automatically choose the certificate for HTTPS authentication and visit to the backend based on multiple domain names. After receiving an HTTPS request, the load balancer will search for the certificate based on the domain name; if it finds a certificate corresponding to the domain name, it returns that certificate; if it does not find a certificate corresponding to the domain name, it returns the default certificate.

Usage Limit

  • One instance can bind at most 25 SNI certificates, excluding the default certificate.
  • One certificate can only bind to the listener once, duplicated bindings are not allowed.

SNI Certificate Matching Rules

  • If the client request matches one of the certificates in the certificate list, ALB will choose this certificate. If the client’s request matches multiple certificates in the list, the load balancer determines the priority based on the bind time, the more recent the bind time, the higher the priority.
  • If no certificate matching the corresponding domain name is found, the default certificate will be matched. The default certificate cannot be deleted and only supports changing binding.
Content ForwardingTLS Security Policies