Dear Team - Wanted to know SSL certificate requirement for below flow. Can someone clarify below for https://www.example.com public domain. 1) The firewall appliances behind the GWLB require Public Certificate of **www.example.com** for performing decryption and deep packet inspection - Is this correct ? 2) Does AWS Application load balancer also require same public certificate or any private certificate to terminate the SSL connection ? . ![Enter image description here](/media/postImages/original/IMx1Dc0oPuS6ytx7UlK-8hIQ)

Very good question and youve got me thinking... 1. Yes. It needs to terminate and decrypt the HTTPs connection otherwise it will not be able to inspect the packets. 2. No. The FW will re-encrypt the packets to the ALB. These are transparent in the path of the client. Just like a transparent proxy server.

Complete a 3 Question Survey and Earn a re:Post Badge

Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!

SSL certificate for inspection

Dear Team - Wanted to know SSL certificate requirement for below flow. Can someone clarify below for https://www.example.com public domain.

The firewall appliances behind the GWLB require Public Certificate of www.example.com for performing decryption and deep packet inspection - Is this correct ?
Does AWS Application load balancer also require same public certificate or any private certificate to terminate the SSL connection ?

. Enter image description here

Topics

Networking & Content Delivery

Tags

Gateway Load Balancer Application Load Balancer

Language

English

asked 7 months ago119 views

1 Answer

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

Accepted Answer

Very good question and youve got me thinking...

Yes. It needs to terminate and decrypt the HTTPs connection otherwise it will not be able to inspect the packets.
No. The FW will re-encrypt the packets to the ALB. These are transparent in the path of the client. Just like a transparent proxy server.

EXPERT

Gary Mclean

answered 7 months ago

EXPERT

Adeleke Adebowale Julius

reviewed 7 months ago

JD
7 months ago
So for point no -2 --> Are you saying no certificate at all require for ALB to terminate SSL connection ?
Gary Mclean EXPERT
7 months ago
You will still need a valid cert on the ALB which the Firewall trusts for end to end encryption
JD
7 months ago
Thanks, so i assume, it can be any private certificate on ALB works ?

Relevant content

Certificate Manager does not create ssl certificates for .ru domains
Viacheslav Leonov
asked 3 years ago
egress inspection Firewall appliance
Accepted Answer
JD
asked 7 months ago
SSL creation require additional verification to request a certificate for one or more domain names in this request. (.ru domain zone)
Accepted Answer
Sliding
asked 3 years ago
How to Handle 1,000's of SSL Certificates
brianpautsch
asked 2 years ago
Can I associate multiple SSL certificates with my CloudFront distribution?
AWS OFFICIALUpdated 9 months ago
How do I migrate my SSL certificate to the US East (N. Virginia) Region to use with my CloudFront distribution?
AWS OFFICIALUpdated 2 years ago
How do I install a Let's Encrypt SSL certificate in a Bitnami stack that's hosted on Lightsail?
AWS OFFICIALUpdated a year ago
How can I troubleshoot issues with a custom SSL certificate used for my CloudFront distribution?
AWS OFFICIALUpdated 6 months ago
Announcement: RDS/Aurora SSL/TLS Certificates are expiring between May and October 2024
EXPERT
randyyoung
published a year ago
AWS re:Post Live | Amazon RDS SSL Certificate Expiration Campaign
EXPERT
AWS rePost Live
published a year ago