I want to use AWS CloudFormation to associate multiple AWS Certificate Manager (ACM) SSL and TLS certificates with an Application Load Balancer.
Resolution
To add a default SSL or TLS server for a secure listener, use the Certificates property for the AWS::ElasticLoadBalancingV2::Listener resource. This resource provides one certificate. To add more certificates, use AWS::ElasticLoadBalancingV2::ListenerCertificate. AWS::ElasticLoadBalancingV2::ListenerCertificate includes a Certificates parameter that accepts a list of certificates.
To create an Application Load Balancer listener with one default certificate, use the following CloudFormation template:
HTTPlistener:
Type: 'AWS::ElasticLoadBalancingV2::Listener'
DependsOn: ApplicationLoadBalancer
Properties:
DefaultActions:
- Type: fixed-response
FixedResponseConfig:
ContentType: text/plain
MessageBody: Success
StatusCode: '200'
LoadBalancerArn: >-
arn:aws:elasticloadbalancing:Region:AccountID:loadbalancer/app/TestACMELB/1032d48308c9b37f
Port: '443'
Protocol: HTTPS
Certificates:
- CertificateArn: >-
arn:aws:acm:Region:AccountID:certificate/cffb8a69-0817-4e04-bfb1-dac7426d6b90
To add multiple certificates to the Application Load Balancer listener, use the following CloudFormation template:
AdditionalCertificates:
Type: 'AWS::ElasticLoadBalancingV2::ListenerCertificate'
DependsOn: HTTPlistener
Properties:
Certificates:
- CertificateArn: >-
arn:aws:acm:Region:AccountID:certificate/c71a3c29-e79d-40e6-8834-650fe0d54a3f
- CertificateArn: >-
arn:aws:acm:Region:AccountID:certificate/fff1c1ba-3d97-4735-b3d5-9c5269b75db3
ListenerArn:
Ref: HTTPlistener
Note: In the preceding templates, replace Region with your AWS Region and AccountID with your AWS account. Also, replace the values for LoadBalancerARN and CertificateARN with the Application Load Balancer and certificate ARN.