Certificate Management
When configuring the HTTPS listener for ALB, you need to select the certificate you purchased on the Certificate Management page, or upload a third-party issued certificate to ensure that your listener authentication service can be used normally.
Usage Limitations
Format Requirements
The current certificate supports two ways of uploading, the first is to upload the certificate file directly, and the second is to manually fill in the certificate text information.
Add Certificates
- Log in to the ALB Console.
- In the secondary TAB of the load balancing, click the Certificate Management tab to enter the certificate list page.
- On the certificate list page, click Add Certificate in the upper left corner
- Three types of certificates can currently be added.
| Certificate Source | Detail |
|---|---|
| USSL Import | Certificate Management supports direct import from the USSL Certificate Management of certificates already purchased or hosted. |
| Local Import | Certificate Management supports the import of local SSL certificates. Upload the certificate authorization file. If you choose to upload the certificate file directly, you need to prepare the following files: the website’s certificate file (cer/crt/pem format), private key file (key file), (optional) intermediate certificate/root certificate (certificate chain, cer/crt/pem format) |
| Manual Input | ULB Certificate Management supports manual input. If you choose to manually fill in the certificate, the text needs to sequentially contain the following fields: private key, website certificate, intermediate certificate, root certificate, etc. |
Local Import
If you choose to upload the certificate file directly, you need to prepare the following files:
- Required, website certificate file (cer/crt/pem format), the text format of the file is as follows:
-----BEGIN MY CERTIFICATE-----
...
-----END MY CERTIFICATE-----CopyErrorSuccess- Required, private key file (key file)
The file text format for RSA Digital Signature Algorithm is as follows:
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----CopyErrorSuccessThe file text format for digital signature algorithm ECDSA is as follows, EC PARAMETERS are optional:
-----BEGIN EC PARAMETERS-----
...
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
...
-----END EC PRIVATE KEY-----CopyErrorSuccess- Optional, intermediate certificate, root certificate (certificate chain, cer/crt/pem format), the text format of the file is:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----CopyErrorSuccessYour provided certificate needs to remove the password protection. When uploading a certificate or manually filling in a certificate, please ensure that the certificate format is correct. If the verification format is incorrect, the addition of the certificate will not be successful.
Manual Input
If you choose to manually fill in the certificate, the text needs to sequentially contain the following fields: private key, website certificate, intermediate certificate, root certificate, etc.
The RSA digital signature algorithm format is referenced as follows (please check the integrity of the certificate when copying):
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
-----BEGIN MY CERTIFICATE-----
...
-----END MY CERTIFICATE-----
-----BEGIN MY CERTIFICATE-----
...
-----END MY CERTIFICATE-----CopyErrorSuccessThe ECDSA digital signature algorithm format is referenced as follows (please check the integrity of the certificate when copying):
-----BEGIN EC PRIVATE KEY-----
...
-----END EC PRIVATE KEY-----
-----BEGIN MY CERTIFICATE-----
...
-----END MY CERTIFICATE-----
-----BEGIN MY CERTIFICATE-----
...
-----END MY CERTIFICATE-----CopyErrorSuccessIf your certificate is in a different format, it is recommended to use the openssl tool for format conversion.
DER to PEM:
Certificate Conversion: openssl x509 -inform der -in certificate.cer -out certificate.pem
Private Key Conversion (RSA Certificate): openssl rsa -inform DER -outform PEM -in privatekey.der -out privatekey.pem
Private Key Conversion (ECDSA Certificate): openssl ec -inform DER -outform PEM -in privatekey.der -out privatekey.pem
Delete Certificates
- Log in to the ALB Console.
- In the secondary TAB of Load Balancing, click the Certificate Management tab to enter the list of certificates.
- On the certificate list page, click delete in the operation class of the target certificate, or check the delete certificate in the upper left corner of the target certificate to be deleted.
- In the pop-up window to delete, click confirm.
Change Binding Certificate
After the certificate is bound to the listener, to avoid the influence of certificate expiration on your service, it is recommended to change the certificate before it expires.
Change the Listener Certificate
ULB supports changing the listening certificate in two ways. If you are only changing the default certificate bound to a certain listener, you can refer to the following method.
- Log in to the ALB Console.
- In the load balancing console, select the Certificate Management TAB.
- On the Instance List page, find the target instance and click on the instance ID to enter the instance details page.
- Click the Listener Management tab, and click Listening Certificate on the details page of the target listener.
- On the Listening Certificate tab, click Change Binding in the operation column of the default certificate.
- In the pop-up window to change the certificate, select the certificate to be changed and click confirm.
If you need to change the bound certificate in bulk, you can refer to the following method.
- Log in to the ALB Console.
- At the top menu bar, select the region where the instance is located.
- On the Certificate Management tab, find the target certificate to be replaced.
- In the operation bar of the target certificate, click details to enter the certificate details page.
- Select listener management and click Change All Bindings in the upper left corner.
- Select the certificate to be changed and click confirm.