Skip to main content

View and manage ELB load balancer assets

With an AWS unified connector, you can use DigiCert​​®​​ Trust Lifecycle Manager to manage certificate deployments for the Elastic Load Balancing (ELB) Application, Network, and Classic load balancer types.

When you add an AWS unified connector in Trust Lifecycle Manager, it discovers supported load balancer types in the linked AWS accounts. It adds the load balancer assets to your centralized Inventory so you can monitor and manage them.

The Trust Lifecycle Manager inventory data includes certificates and unsecured endpoints and identifies the load balancer name and region where they were discovered.

Once the connection is established, you can use Trust Lifecycle Manager to automate lifecycle management and deploy new certificates to your ELB load balancers, issuing the certificates from any of the CAs available in your Trust Lifecycle Manager account.

Supported ELB load balancers

AWS unified connectors support discovery and management of certificates for the following ELB load balancer types.

Application Load Balancer (ALB)

AWS unified connectors support ALB (Layer 7) load balancers with the following capabilities.

Listener protocols

Certificate storage

Certificate types

Notes

  • HTTP

  • HTTPS

  • AWS Certificate Manager (ACM)

  • IAM server certificates (older pattern)

  • Up to 25 certificates per ALB listener using SNI

  • ACM public certificates (RSA, ECDSA)

  • ACM-imported certs (RSA, ECDSA) from any external CA

  • Wildcard and SAN certificates, as long as DNS name matches

  • SNI for multi-domain hosting on single listener

  • HTTPS listener must reference an ACM certificate in the same region.

  • Can attach multiple certificates to the same HTTPS listener for different hostnames using SNI.

  • Cipher preference and security policies are configured via SSL policies on the listener.

Network Load Balancer (NLB)

AWS unified connectors support NLB (Layer 4) load balancers with the following capabilities.

Listener protocols

Certificate storage

Certificate types

Notes

TSL/SSL

  • AWS Certificate Manager (ACM)

  • IAM server certificates (older pattern)

  • Up to 25 certificates per TLS listener using SNI

  • ACM public certificates (RSA, ECDSA)

  • ACM-imported certs (RSA, ECDSA) from any external CA

  • Wildcard and SAN certificates

Architectural options:

  • TLS termination at NLB: NLB presents the ACM certificate, decrypts traffic, and forwards plain TCP/HTTP to targets.

  • TLS pass-through (no certificate on NLB): Listener protocol is TCP, TLS terminates on the targets (for example, NGINX or Apache). Certificates live on the target hosts, not the NLB.

Classic Load Balancer (CLB)

AWS unified connectors support legacy CLB (Layer 4/7) load balancers with the following capabilities.

Listener protocols

Certificate storage

Certificate types

Notes

  • HTTPS

  • SSL

  • AWS Certificate Manager (ACM)

  • IAM server certificates (older pattern)

  • ACM public certificates

  • ACM-imported certs from any external CA

  • IAM-uploaded X.509 cert + private key bundles

  • Wildcard and SAN certs

  • CLB does not support SNI for multiple certificates per HTTPS listener, it only supports one certificate per HTTPS/SSL listener.

  • CLB does not support installation of new certificates on unsecured ports.

  • Host-based routing must be done elsewhere or via separate LBs.

View inventory on ELB load balancers

Assets discovered through an AWS unified connector may include certificates found on both ELB load balancers and AWS Certificate Manager. Use the below functions to load AWS assets into Inventory and identify the load balancer assets.

Connector shortcut links

The connector details page includes shortcut links to load pre-filtered inventory views of assets associated with that connector. Find these shortcut links in the Assets found section of the connector details page:

Asset type

Description

Managed certificates

Use this shortcut link to load certificates Trust Lifecycle Manager found on ELB load balancers. These certificates are considered "managed" because they're associated with specific endpoints and eligible for managed lifecycle automation in Trust Lifecycle Manager. This category also includes certificates that Trust Lifecycle Manager enrolled and delivered to AWS Certificate Manager using the Admin web request function.

Discovered certificates

Use this shortcut link to load existing certificates Trust Lifecycle Manager found in AWS Certificate Manager that were not enrolled/delivered from Trust Lifecycle Manager.

Unsecured IP/ports

Use this shortcut link to load endpoints Trust Lifecycle Manager found on ELB load balancers that do not currently have certificates installed.

Inventory filters for AWS assets

Use the standard inventory functions in Trust Lifecycle Manager to build and save custom views of your AWS assets. In the Endpoints inventory category, the following filters help identify certificates on ELB load balancers. If a column is not present, use the inventory table settings function to add it.

Column header

Filter value(s)

Location

  • Using the Hostname filter, enter the name of the ELB listener ARN (for example, arn:aws:elasticloadbalancing:us-east-1:123456789012:listener/net/my-network-lb/1234567890abcdef/abcdef1234567890:443).

  • Alternatively, use the IP/Port option to filter by specific parts of the listener ARN such as the AWS region (us-east-1) or account ID (123456789012).

Application

Select one of the following values to view assets associated with AWS Certificate Manager or a particular ELB load balancer type:

  • AWS Certificate Manager: AWS Cert Manager

  • AWS Internet-facing Application Load Balancers: AWS Internet-facing App LB

  • AWS Internal Application Load Balancers: AWS Internal App LB

  • AWS Internet-facing Network Load Balancers: AWS Internet-facing Net LB

  • AWS Internal Network Load Balancers: AWS Internal Net LB

  • AWS Internet-facing Classic Load Balancers: AWS Internet-facing Classic LB

  • AWS Internal Classic Load Balancers: AWS Internal Classic LB

Connector

Enter the full or partial Name of the AWS unified connector as shown on the Integrations > Connectors page.

Manage certificates on ELB load balancers

You can manage certificate deployments on ELB load balancers directly from the Trust Lifecycle Manager web console, using the automation functions to enroll and deploy certificates from any of your connected CAs.

To get started, create certificate automation profiles for the issuing CAs and types of certificates to deploy.

Important

Select the DigiCert sensor enrollment method in any certificate profiles you create for managing the certificates deployed on ELB load balancers.

To request and deliver certificates directly to AWS Certificate Manager, select the Admin web request enrollment method in your certificate profiles. Submit the requests using the Admin web request function.

In this section: