You are working as an AWS consultant for an online grocery store. They are using a two-tier web application with web-servers hosted in VPC’s at us-east-1 region & on-premise data-center. Network Load balancer is configured in the front end to distribute traffic between these servers. All traffic between clients & servers is encrypted. They are looking for an alternate solution to terminate the TLS connection on this Network Load balancer to reduce load on back-end servers.
This store`s management team has engaged you to suggest a solution for certificate management used in case of TLS termination. Which of the following is a preferred secure option to provision & store certificates to be used along with Network Load Balancer for terminating TLS?

Answer options:

A.Use multiple certificates per TLS listener & If a hostname provided by a client matches multiple certificates in the certificate list. The load balancer selects all of the certificates.
B.Use TLS tools to generate a new certificate & upload in AWS Certificate Manager.
C.Use a single certificate per TLS listener provided by AWS Certificate Manager.
D.Use a single certificate with 4096 bits RSA keys for higher security.

Correct Answer – C
Network Load Balancer requires one certificate per TLS connection to encrypt traffic between client & NLB and forward decrypted traffic to target servers. UsingAWS Certificate Manager is a preferred option, as these certificates are automatically renewed on expiry.
Option A is incorrect as Network Load Balancer uses a smart certificate selection algorithm to support Server Name Indication (SNI). If the hostname provided by a client matches a single certificate in the certificate list, the load balancer selects this certificate. If a hostname provided by a client matches multiple certificates in the certificate list, the load balancer selects the best certificate that the client can support.
Refer section "Certificate List" under the link: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html
Option B is incorrect as this will increase admin work. Also, you will need to monitor the expiry dates of certificates & renew these certificates before expiration. 
Option D is incorrect as Network Load Balancer does not support certificates with RSA bits higher than 2048 bits.
For more information on certificates for TLS termination on Network Load Balancers, refer to the following URL-
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html