To enable encrypted transmission using a TCP/SSL listener, configure certificates on NLB. All NLB certificates are stored and managed by Alibaba Cloud Certificate Management Service. Purchase a certificate or upload an existing one to Certificate Management Service before using it on NLB.
How it works
Certificate types
-
CA certificate: A certification authority (CA) is a trusted third party that verifies and issues certificates. CA certificates validate the legitimacy of other certificates—for example, by checking whether a certificate was issued by a trusted CA.
-
Server certificate: Also known as an SSL Certificate, this is issued by a CA and contains the server’s public key and identity information (such as its domain name). It proves the server’s identity to clients.
-
Client certificate: Issued by a CA, this contains the client’s public key and identity information. It proves the client’s identity to the server.
Authentication modes
NLB supports both one-way and mutual authentication.
-
One-way authentication: NLB requires only a server certificate. The client verifies the server’s identity. This is the most common mode, suitable for most web applications and API services.
-
Mutual authentication: NLB requires both a server certificate and a CA certificate. The server and client authenticate each other. This mode is used in high-security scenarios such as finance, Internet of Things (IoT), and internal enterprise systems.
|
One-way authentication handshake process |
Mutual authentication handshake process |
|
|
|
Prerequisites
Prepare the required certificates based on your authentication mode (one-way or mutual). To purchase certificates from Alibaba Cloud, see:
-
CA certificate: Purchase and enable a private CA
-
Server certificate: Purchase a commercial certificate
-
Client certificate: Download a private certificate
Configure certificates for one-way authentication
Console
When configuring a TCP/SSL listener, on the Configure SSL Certificate page, select a server certificate and configure the TLS security policy.
For a step-by-step tutorial, see: Offload TCP/SSL with NLB (one-way authentication).
API
Call the CreateListener operation:
-
Set the
ListenerProtocolfield toTCPSSLto create a TCP/SSL listener. -
Configure the server certificate in the
CertificateIdsfield. -
Configure the TLS security policy in the
SecurityPolicyIdfield.
Configure certificates for mutual authentication
Console
When configuring a TCP/SSL listener, on the Configure SSL Certificate page, select a server certificate, enable mutual authentication, and configure a CA certificate. Also configure the TLS security policy.
For a step-by-step tutorial, see: Offload TCP/SSL with NLB (mutual authentication).
API
Call the CreateListener operation:
-
Set the
ListenerProtocolfield toTCPSSLto create a TCP/SSL listener. -
Configure the server certificate in the
CertificateIdsfield. -
Set the
CaEnabledfield totrueto enable mutual authentication. -
Configure the CA certificate in the
CaCertificateIdsfield. -
Configure the TLS security policy in the
SecurityPolicyIdfield.
Switch between one-way and mutual authentication
For an existing TCP/SSL listener, you can enable or disable mutual authentication to switch between one-way and mutual authentication.
Console
-
In the NLB console, find your NLB instance and click its instance ID.
-
On the Listener tab, find your TCP/SSL listener and click Actions → Manage Certificates.
-
On the CA Certificate tab, toggle the Mutual Authentication switch in the upper-left corner to enable or disable mutual authentication. Select a CA certificate and click OK.
API
Call the UpdateListenerAttribute operation. Use the ListenerId field to select your TCP/SSL listener. Set the CaEnabled field to enable or disable mutual authentication. Update the CaCertificateIds field to select a CA certificate.
Manage server certificates
Replace the default server certificate
The server certificate selected when configuring a TCP/SSL listener becomes the listener’s default server certificate. Replace it seamlessly when the certificate is about to expire or when business requirements change.
New connections may be interrupted during the default server certificate update. Existing connections remain unaffected. Perform this change during off-peak hours.
Console
-
In the NLB console, find your NLB instance and click its instance ID.
-
On the Listener tab, find your TCP/SSL listener and click Actions → Manage Certificates.
-
On the Server Certificate tab, click Default Server Certificate → Change, then select a new certificate.
-
Click OK.
API
Call the UpdateListenerAttribute operation. Use the ListenerId field to select your TCP/SSL listener. Update the CertificateIds field to replace the default server certificate.
Configure extended certificates for multiple domains
If a single listening port must serve HTTPS traffic for multiple domains, each with its own certificate, use NLB’s extended certificate feature.
After configuration, NLB automatically selects the correct certificate based on the domain in the client’s request.
-
If the requested domain matches an extended certificate, NLB uses that certificate.
-
If no match is found, NLB uses the default server certificate.
1. Each NLB instance supports up to 25 extended certificates.
2. You can add or remove up to 15 extended certificates in a single operation.
Console
-
In the NLB console, find your NLB instance and click its instance ID.
-
On the Listener tab, find your TCP/SSL listener and click Actions → Manage Certificates.
-
On the Server Certificate tab, click Add Additional Certificate and select certificates for additional domains.
-
Click OK.
To delete an extended certificate, click Actions → Delete next to the certificate.
API
-
Call the AssociateAdditionalCertificatesWithListener operation. Use the
ListenerIdfield to select your TCP/SSL listener. Add extended certificates using theAdditionalCertificateIdsfield. -
Call the DisassociateAdditionalCertificatesWithListener operation. Use the
ListenerIdfield to select your TCP/SSL listener. Remove extended certificates using theAdditionalCertificateIdsfield.
Manage CA certificates
Replace a CA certificate
Console
-
In the NLB console, find your NLB instance and click its instance ID.
-
On the Listener tab, find your TCP/SSL listener and click Actions → Manage Certificates.
-
On the CA Certificate tab, if mutual authentication is enabled, click Actions → Change next to the CA certificate. Select a new CA certificate and click OK.
API
Call the UpdateListenerAttribute operation. Use the ListenerId field to select your TCP/SSL listener. Update the CaCertificateIds field to replace the CA certificate.
Billing details
Using the certificate feature with TCP/SSL listeners incurs no extra charges. However, you must pay for the certificates themselves. For details, see: SSL Certificate billing details, PCA certificate billing details.
Going live
-
Best practices
-
Certificate management: Use Alibaba Cloud Certificate Management Service to centrally manage all certificates. This simplifies viewing, renewal, and deployment.
-
TLS policy: For public-facing applications without special compatibility requirements, use
tls_cipher_policy_1_2or higher. -
Automation: Combine APIs or Terraform with Certificate Management Service to automate certificate renewal and deployment. This prevents service interruptions caused by expired certificates.
-
-
Risk mitigation and fault tolerance
-
Internal traffic security: Traffic between clients and NLB is encrypted with TCP/SSL, but traffic between NLB and backend servers is plaintext by default. To ensure end-to-end security, deploy NLB and backend servers in the same VPC and restrict access strictly using security groups.
-
Certificate expiration monitoring: Configure expiration alert rules for certificates in Cloud Monitor. Set alerts at 30 days, 7 days, and 1 day before expiration to allow enough time for replacement.
-
Rollback: If issues occur after replacing a certificate or changing the TLS policy, immediately roll back by updating the listener configuration. Perform changes during off-peak hours.
-