Server Name Indicator (SNI) on ALB



You can verify that the name on the cert is the same as the site name, and the only cert served. Change hostname and you'll get a different cert. Hostnames other than www will use the wildcard cert, so you'll see an * as the hostname.

This site is hosted behind an Application Load Balancer and is using Server Name Indication (SNI).

This allows it to serve multiple, independent, TLS certificates based on the hostname indicated by clients.

It's a few simple web pages hosted on servers in EC2 running Nginx behind and ALB. The real fun is nothing magical, just changing which certificate is provided based on what you try to connect to.

ALB uses Smart Certificate Selection to choose the best certificate whenever there are multiple matches.

You can use SNI on your ALB today, just add more certificates in the console!


SNI INFO: exampleloadbalancer.com

TLS Certificate for exampleloadbalancer.com:443(HTTPS): Serial Number: 04:2b:fe:ea:99:fa:3d:bd:78:da:b1:a9:02:85:f1:d3 Subject: CN=exampleloadbalancer.com

via GIPHY