Configure certificates for an ALB instance-Server Load Balancer(SLB)-阿里云帮助中心

To configure one-way or mutual authentication (mTLS) for ALB listeners, purchase or upload certificates in Certificate Management Service, then associate them with your listener.

Background

ALB supports one-way authentication and mutual authentication (mTLS).

One-way authentication: The client verifies the server, but the server does not verify the client. Requires a server certificate bound to the HTTPS or QUIC listener.
Mutual authentication (mTLS): Both client and server verify each other before exchanging data. Requires a server certificate and a CA certificate bound to the listener. The CA certificate verifies the client.

Limitations

Basic Edition ALB instances do not support mutual authentication (mTLS).
QUIC listeners do not support mutual authentication (mTLS).
HTTP listeners do not support one-way authentication or mutual authentication (mTLS).

Certificate types

ALB supports both international standard certificates (RSA/ECC) and SM certificates (SM2).

International standard certificates: RSA and ECC algorithms for standard HTTPS encryption.
SM certificates: Chinese cryptographic algorithm suite (SM2 for signatures and key exchange, SM3 for hashing, SM4 for encryption). Required for MLPS 2.0 Level 3 compliance in finance and government. You must select a custom TLS security policy that includes the ECC-SM2-WITH-SM4-SM3 cipher suite.

Note

SM certificates are not enabled by default. To use this feature, apply for the required quota in Quota Center.
SM certificates are supported only on upgraded ALB instances. Use ALB instance cloning to migrate from legacy instances.
Only Standard and WAF-enabled Edition ALB instances support SM certificates. Basic and Extended Edition instances do not.
SM certificates do not support mutual authentication (mTLS) because CA certificates do not support the SM2 algorithm.

Supported listener types, certificate types, and authentication methods:

Listener type	Certificate type	Authentication method
Listener type	Certificate type	One-way authentication	Mutual authentication (mTLS)
HTTPS	Single RSA, ECC, or SM2 certificate	Supported	Supported (RSA, ECC) Not supported (SM2)
	Dual RSA and ECC certificates	Supported	Supported
	Dual RSA and SM2 certificates	Supported	Not supported
	Dual ECC and SM2 certificates	Supported	Not supported
	Mixed RSA, ECC, and SM2 certificates	Supported	Not supported
QUIC	Single RSA or ECC certificate	Supported	Not supported
QUIC	Dual RSA and ECC certificates	Supported	Not supported
HTTP	Certificate configuration is not supported

Certificate matching logic

When a listener has multiple certificates, ALB uses SNI-based certificate selection. If a hostname matches a single certificate, ALB uses that certificate. If it matches multiple certificates, ALB selects the best one based on the following priority:

Domain Name Match: Exact matches are preferred over wildcard matches.
Public Key Algorithm: ECDSA (ECC) is preferred over RSA.
Hash Algorithm: The SHA family is preferred over MD5.
Key Length: The certificate with the longest key is preferred.
Validity Period: The certificate with the longest remaining validity period is preferred.

Note

ALB uses the protocol version in the client's TLS handshake to determine whether to use the Chinese national cryptographic protocol (TLCP).

If the client uses TLCP, ALB prioritizes the SM certificate.
If the client uses standard TLS, ALB prioritizes an international standard certificate (RSA/ECC).

Prerequisites

You have created an ALB instance of the Standard or WAF-enabled Edition.
You have created an available backend server group.
You have purchased or uploaded a server certificate in Certificate Management Service.
For mutual authentication, you also need a CA certificate. You can purchase and enable a subordinate CA certificate (requires available certificate quota) or upload a self-signed root CA or subordinate CA certificate.

Add a certificate

Log on to the ALB console.
In the top navigation bar, select the region where the ALB instance is deployed.
On the Instances page, find the target instance and click its ID.
Open the listener configuration wizard:
- On the Instances page, find the target instance and click Create Listener in the Actions column.
- On the Instances page, click the target instance ID. On the Listener tab, click Create Listener.

On the Configure Listener page, configure the following settings and click Next.

This topic describes only the required parameters. For more information, see Add an HTTPS listener.

Listener configuration	Description
Listener Protocol	Select HTTPS or QUIC. Note QUIC listeners do not support mutual authentication (mTLS). HTTP listeners do not support one-way authentication or mutual authentication (mTLS). In this example, HTTPS is selected.
Listener Port	Enter a port number (1-65535). Standard ports: 80 for HTTP, 443 for HTTPS. In this example, `443` is entered.
Listener Name	Enter a custom name for the listener.
Advanced Settings	Click Modify to expand the advanced settings.

On the SSL Certificate page of the wizard, select a server certificate.
If no server certificate is available, click Create SSL Certificate in the drop-down list to go to the Certificate Management Service console, where you can purchase or upload a server certificate.
Optional: Turn on Enable Mutual Authentication and select a CA certificate source.
- Select Alibaba Cloud as the ca certificate source, and select a ca certificate from the Default CA Certificate drop-down list.
  If no ca certificate is available, click Purchase CA Certificate in the drop-down list to create a new ca certificate.
- Select Third-party as the ca certificate source, and select a ca certificate from the Default CA Certificate drop-down list.
  If no self-signed ca certificate is available, click Upload Self-signed CA Certificate in the drop-down list. On the Certificate Application Repository page, create a repository with a data source of Uploaded CA Certificates. Then, upload a self-signed root CA or a self-signed intermediate CA certificate to the repository.
Note
- Only Standard and WAF-enabled ALB instances support mutual authentication. Basic ALB instances do not.
- To disable mutual authentication:
  On the Instances page, click the ID of the target instance.
  On the Listener tab, click the ID of the target HTTPS protocol listener.
  On the Listener Details tab, turn off the mutual authentication switch in the SSL Certificate section.
Select a TLS Security Policy, and then click Next.
If no tls security policy is available, click Create TLS Security Policy in the drop-down list.
A tls security policy contains the TLS protocol versions and cipher suites that an https listener can use.
On the Select Server Group page, select a backend server group, view the backend server information, and then click Next.
On the Configuration Review page, review the settings and click Submit.

More operations

Log on to the ALB console.
In the top navigation bar, select the region where the ALB instance is deployed.
On the Instances page, find the target instance and click its ID.
Click the Listener tab. Find the target listener and click Manage Certificates in the Actions column.

On the Certificates page, you can perform the following operations.

Note

To avoid service disruptions, replace your certificates before they expire.

Certificate category	Actions	Description
Server certificate	Replace the default server certificate	On the Server Certificates tab, find the default server certificate and click Replace in the Actions column. In the dialog box that appears, select a server certificate and click OK. If no server certificate is available, click Create SSL Certificate in the drop-down list to go to the Certificate Management Service console, where you can purchase or upload a server certificate.
	Add an additional server certificate	Add additional certificates to a listener. On the Server Certificates tab, click Add EV Certificate. In the Add EV Certificate dialog box, select a server certificate and click OK. If no server certificates are available, you can click Purchase Certificate in the upper-right corner to go to the Certificate Management Service console, where you can purchase or upload a server certificate.
	Delete an additional server certificate	You can delete an additional server certificate. After deletion, the certificate can no longer be used for authentication. On the Server Certificates tab, find the target additional certificate and click Delete in the Actions column. In the dialog box that appears, click Delete.
CA certificate	Enable or disable mutual authentication	Enable mutual authentication: To enable mutual authentication: Click the CA Certificate tab and turn on the Mutual Authentication switch, or click Enable Mutual Authentication. In the Enable Mutual Authentication dialog box, perform one of the following steps: Set the CA certificate source to Alibaba Cloud, select a CA certificate from the Default CA Certificate drop-down list, and then click OK. If no ca certificate is available, click Purchase CA Certificate in the drop-down list to create a new ca certificate. Set the CA certificate source to Third-party, select a CA certificate from the Default CA Certificate drop-down list, and then click OK. If no self-signed ca certificate is available, click Upload Self-signed CA Certificate in the drop-down list. On the Certificate Application Repository page, create a repository with a data source of Uploaded CA Certificates. Then, upload a self-signed root CA or a self-signed intermediate CA certificate to the repository. Disable mutual authentication: Click the CA Certificate tab and turn off the Mutual Authentication switch. The listener then reverts to one-way authentication.
CA certificate	Replace the CA certificate	Click the CA Certificate tab. Find the default CA certificate and click Replace in the Actions column. In the Change Default CA Certificate dialog box, perform one of the following steps based on your business needs: Set the CA certificate source to Alibaba Cloud, select a CA certificate from the Default CA Certificate drop-down list, and then click OK. If no ca certificate is available, click Purchase CA Certificate in the drop-down list to create a new ca certificate. Set the CA certificate source to Third-party, select a CA certificate from the Default CA Certificate drop-down list, and then click OK. If no self-signed ca certificate is available, click Upload Self-signed CA Certificate in the drop-down list. On the Certificate Application Repository page, create a repository with a data source of Uploaded CA Certificates. Then, upload a self-signed root CA or a self-signed intermediate CA certificate to the repository.

References

Tutorials

Configure end-to-end HTTPS to secure communications: Secure traffic from clients to ALB and from ALB to backend servers with end-to-end HTTPS encryption.
Configure a multi-domain HTTPS website by using a single ALB instance: Associate multiple certificates with an HTTPS listener and configure domain-based forwarding rules to route requests by domain.
Deploy an HTTPS service that uses mutual authentication: Use ALB mutual authentication (mTLS) for high-security scenarios such as finance and healthcare, where both client and server must verify each other's identity.

API reference

CreateListener: Create an HTTP, HTTPS, or QUIC listener.
AssociateAdditionalCertificatesWithListener: Add an additional certificate to an HTTPS or QUIC listener.
DissociateAdditionalCertificatesFromListener: Remove an additional certificate from an HTTPS or QUIC listener.
UpdateListenerAttribute: Modify the default certificate configuration of an HTTPS or QUIC listener, such as replacing the certificate or toggling mutual authentication.