Basics

• SSL/TLS certificates allows traffic between client and server be encrypted while in transit (in-flight).

• TLS is a more newer version of SSL, which is used nowadays.

• These cerificates are issued by Certificate Authorities (CA).

• ELB integration with public SSL certificates, allows request to be encrypted upto load balancer.

• Load balancer uses an X.509 SSL/TLS certificate.

• These certificates have expiration date and need to be renewed periodically.

• In AWS, these certificates are managed using AWS Certificate Manager (ACM).

• When a ELB listener of HTTPS type is specified, these SSL ceritificate must be specified.

• Can add an optional list of certificates to support multiple domains.

• Also has ability to specify a security policy to support older version of SSL/TLS (legacy clients).

Server Name Indication (SNI)

• An extension of TLS, allows multiple SSL/TLS certificate to be loaded, when multiple web server is hosted on same IP address.

• This works by using the hostname of the target server in the initial SSL handshake. This will allow to find the correct certificate based on hostname.

• Supported by ALB, NLB, Cloud Front.

• Does not work with CLB.

• Certificates needed by ELB for HTTPS listeners can be sourced from ACM, IAM or import it.