SSL and TLS Certificates Overview

• SSL/TLS Encryption: SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are protocols used to encrypt data in transit between clients and servers. TLS is the newer version of SSL, but both terms are often used interchangeably.
• In-Flight Encryption: This ensures that data cannot be read or tampered with during transmission over the network.
• Certificate Authorities (CAs): Public SSL/TLS certificates are issued by CAs such as Comodo, Symantec, GoDaddy, GlobalSign, Digicert, and Letsencrypt.
• HTTPS: The 'S' in HTTPS stands for 'Secure', indicating that SSL/TLS certificates are being used to encrypt the connection.
• Load Balancer Integration: Load balancers can terminate SSL/TLS connections, handling encryption and decryption of data before passing it to backend servers.

Load Balancer and SSL/TLS

• SSL Termination: The load balancer performs SSL termination, decrypting incoming HTTPS traffic and optionally forwarding it to EC2 instances over HTTP within the secure VPC.
• AWS Certificate Manager (ACM): AWS service for managing SSL/TLS certificates. Users can upload their own certificates or use ones provided by ACM.
• HTTPS Listener: When setting up an HTTPS listener on a load balancer, a default certificate must be specified, with the option to add more for supporting multiple domains.

Server Name Indication (SNI)

• SNI Importance: SNI allows a server to host multiple SSL certificates for multiple domains.
• Hostname Indication: Clients indicate the hostname of the server during the SSL handshake, allowing the server to select the appropriate certificate.
• Compatibility: SNI is supported by Application Load Balancers (ALBs), Network Load Balancers (NLBs), and CloudFront, but not by Classic Load Balancers.

SSL Certificates and Load Balancers

• Classic Load Balancer: Supports a single SSL certificate. For multiple hostnames with different SSL certificates, multiple Classic Load Balancers are required.
• Application Load Balancer (ALB): Supports multiple listeners with multiple SSL certificates using SNI.
• Network Load Balancer (NLB): Also supports multiple listeners with multiple SSL certificates, utilizing SNI.

Diagram Example

• ALB with Multiple Certificates: An ALB can route traffic based on hostname to different target groups, each with its own SSL certificate.
  • Client requests www.mycorp.com -> ALB uses www.mycorp.com SSL certificate -> Traffic routed to mycorp.com target group.
  • Client requests Domain1.example.com -> ALB uses Domain1.example.com SSL certificate -> Traffic routed to Domain1.example.com target group.