Understanding SSL/TLS Certificates & Server Name Indication (SNI) in AWS Load Balancers

What Are SSL and TLS Certificates?

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are protocols used to encrypt traffic between clients and servers, ensuring secure communication.

Key Points About SSL/TLS:

• TLS is the modern replacement for SSL, but many still refer to it as SSL.
• Public SSL/TLS certificates are issued by Certificate Authorities (CAs) like:
  • Comodo
  • Symantec
  • GoDaddy
  • GlobalSign
  • DigiCert
  • Let’s Encrypt
• SSL/TLS certificates expire and must be renewed regularly to remain valid.

How Load Balancers Handle SSL/TLS Certificates

1. Clients connect to a load balancer over HTTPS (encrypted).
2. The load balancer performs SSL termination, decrypting the traffic.
3. The load balancer forwards traffic to backend EC2 instances using HTTP (unencrypted) within the VPC.
   • This is acceptable since VPC traffic is private and somewhat secure.
4. SSL certificates used by the load balancer are X.509 certificates, often managed in AWS Certificate Manager (ACM).

Managing SSL/TLS in AWS Load Balancers

• SSL certificates are attached to HTTPS listeners in the load balancer.
• When setting up an HTTPS listener, you must specify:
  • A default certificate.
  • Optional additional certificates (for multiple domains).
• AWS allows uploading custom SSL certificates to ACM.
• You can configure security policies to support older SSL/TLS versions for legacy clients.

What is Server Name Indication (SNI)?

SNI allows a single load balancer to handle multiple SSL/TLS certificates for different domains, solving a key problem: