To receive encrypted traffic over HTTPS our ELB must have a server certificate and and associated security policy.

This certificate can be emitted by ACM (Certificate Manager) or by any other 3rd Party Authority.

Behaviour is slightly different between ALB and NLB:

With ALB, traffic will be encrypted from client to the ELB itself, from that point on that secure channel is terminated and traffic will continue to your target group unencrypted.

If we want encryption all the way through our EC2 instance we need to upload our Certificate to our ALB, and another one ( this can be self-signed ) to our Instance. The encrypted channel between client and LB will be terminated but another encrypted channel will be created between ELB and Instance.

With NLB it is possible to follow this approach but it is not really necessary if we just upload Certificate at the Instance Level ( with NLB channel will not be interrupted) and will go through Load Balancer encrypted end2end.