diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-listener.ts b/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-listener.ts
index 1844314e1f560..b72151f81f2f8 100644
--- a/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-listener.ts
+++ b/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-listener.ts
@@ -263,10 +263,14 @@ export class ApplicationListener extends BaseListener implements IApplicationLis
       this.certificateArns.push(first.certificateArn);
     }
 
-    if (additionalCerts.length > 0) {
-      new ApplicationListenerCertificate(this, id, {
+    // Only one certificate can be specified per resource, even though
+    // `certificates` is of type Array
+    for (let i = 0; i < additionalCerts.length; i++) {
+      // ids should look like: `id`, `id2`, `id3` (for backwards-compatibility)
+      const certId = (i > 0) ? `${id}${i + 1}` : id;
+      new ApplicationListenerCertificate(this, certId, {
         listener: this,
-        certificates: additionalCerts,
+        certificates: [additionalCerts[i]],
       });
     }
   }
diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/listener.test.ts b/packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/listener.test.ts
index 3e7b639cb1a8f..b6e379a17e463 100644
--- a/packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/listener.test.ts
+++ b/packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/listener.test.ts
@@ -143,6 +143,43 @@ describe('tests', () => {
     });
   });
 
+  test('HTTPS listener can add more than two certificates', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const vpc = new ec2.Vpc(stack, 'Stack');
+    const lb = new elbv2.ApplicationLoadBalancer(stack, 'LB', { vpc });
+
+    // WHEN
+    const listener = lb.addListener('Listener', {
+      port: 443,
+      defaultTargetGroups: [
+        new elbv2.ApplicationTargetGroup(stack, 'Group', { vpc, port: 80 }),
+      ],
+      certificates: [
+        elbv2.ListenerCertificate.fromArn('cert1'),
+        elbv2.ListenerCertificate.fromArn('cert2'),
+        elbv2.ListenerCertificate.fromArn('cert3'),
+      ],
+    });
+
+    expect(listener.node.tryFindChild('DefaultCertificates')).toBeDefined();
+    expect(listener.node.tryFindChild('DefaultCertificates2')).toBeDefined();
+    expect(listener.node.tryFindChild('DefaultCertificates3')).not.toBeDefined();
+
+    // THEN
+    expect(stack).toHaveResource('AWS::ElasticLoadBalancingV2::Listener', {
+      Certificates: [{ CertificateArn: 'cert1' }],
+    });
+
+    expect(stack).toHaveResource('AWS::ElasticLoadBalancingV2::ListenerCertificate', {
+      Certificates: [{ CertificateArn: 'cert2' }],
+    });
+
+    expect(stack).toHaveResource('AWS::ElasticLoadBalancingV2::ListenerCertificate', {
+      Certificates: [{ CertificateArn: 'cert3' }],
+    });
+  });
+
   test('Can configure targetType on TargetGroups', () => {
     // GIVEN
     const stack = new cdk.Stack();