I have Ec2 instances sitting behind an application load balancer that is forwarding HTTPS traffic. Each instance is using the same TLS cert, which I also uploaded to ACM so the load balancer can use it. If I get new certificates, can I piece by piece replace the certs, or do I need to do something else to prevent the traffic from breaking? It isn't clear to me where the SSL handshake is happening if I use a load balancer like this.
Asked
Active
Viewed 68 times
1 Answers
0
The load balancers do not validate the TLS certs. See this blog post for more on this: https://kevin.burke.dev/kevin/amazons-albs-insecure-internal-traffic/
So, essentially, you can use any cert, even a self-signed one on the instances and the LBs will be fine with that. It does not have to match the TLS cert that the LB presents to the world.
CSQ
- 1
-
While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - [From Review](/review/late-answers/29896703) – Muhammedogz Sep 23 '21 at 09:23