Basics

  • SSL/TLS certificates allows traffic between client and server be encrypted while in transit (in-flight).

  • TLS is a more newer version of SSL, which is used nowadays.

  • These cerificates are issued by Certificate Authorities (CA).

  • ELB integration with public SSL certificates, allows request to be encrypted upto load balancer.

  • Load balancer uses an X.509 SSL/TLS certificate.

  • These certificates have expiration date and need to be renewed periodically.

  • In AWS, these certificates are managed using AWS Certificate Manager (ACM).

  • When a ELB listener of HTTPS type is specified, these SSL ceritificate must be specified.

  • Can add an optional list of certificates to support multiple domains.

  • Also has ability to specify a security policy to support older version of SSL/TLS (legacy clients).

Server Name Indication (SNI)

  • An extension of TLS, allows multiple SSL/TLS certificate to be loaded, when multiple web server is hosted on same IP address.

  • This works by using the hostname of the target server in the initial SSL handshake. This will allow to find the correct certificate based on hostname.

  • Supported by ALB, NLB, Cloud Front.

  • Does not work with CLB.

  • Certificates needed by ELB for HTTPS listeners can be sourced from ACM, IAM or import it.

PreviousFeaturesNext04_AutoScaling

Last updated