Elastic Load Balancing
Developer Guide (API Version 2012-06-01)
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Update an SSL Certificate for a Load Balancer

If you are using HTTPS/SSL protocol for your listeners, you might have an SSL server certificate installed on your load balancer. Your SSL certificate comes with a validity period. You must replace the certificate after its validity period ends. To replace the certificate you must create and upload the new certificate by following the same steps you used when you created your certificate for the first time. This section describes how to update an SSL certificate for your HTTPS/SSL load balancer. Before you get started, be sure you've done the following:

  • Created a new SSL server certificate to replace the expired server certificate and have uploaded it using the AWS Identity and Access Management (IAM). For information on how to create and upload an SSL certificate, see SSL Certificate for Elastic Load Balancing.

    All your SSL server certificates are managed by AWS Identity and Access management (IAM). By default, IAM allows 10 server certificates per AWS account. If you try to upload a new server certificate after reaching this limit, you'll get an error. You can request for more certificates using this form - IAM Limit Increase Contact Us Form.

  • Installed the Elastic Load Balancing tools that you plan to use to perform load balancing tasks. You can update your SSL certificate installed on your HTTPS/SSL load balancer using the AWS Management Console, the Elastic Load Balancing command line interface (CLI), the AWS command line interface, or the Query API. For information on installing the CLI, or the Query API, see Setting Up Elastic Load Balancing Interfaces.

The following sections include instructions for updating an SSL certificate using the AWS Management Console, the command line interface (CLI), or the Query API.

Using the AWS Management Console

To update an SSL certificate for an HTTPS load balancer

  1. Sign in to the AWS Management Console and open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. On the Amazon EC2 console Resources page, in the EC2 Dashboard pane, under NETWORK & SECURITY, click Load Balancers.

  3. On the Load Balancers page, select your load balancer.

  4. The bottom pane displays the details of your load balancer.

  5. Click the Listeners tab.

  6. In the Listeners pane, click Change in the SSL Certificate column of the certificate you want to update.

  7. On the Select Certificate page, select Choose from an existing SSL Certificates if you have already uploaded your SSL certificate using IAM. Click the Certificate Name: dialog box and select your certificate. Click Save.

  8. Or, select Upload a new SSL Certificate if you have an SSL certificate and want to upload it.

    Before you upload, ensure that your certificate meets the criteria described in Upload the Signed Certificate

    If your certificate does not meet the criteria listed in this step, you might get an error when you upload it. Create a new SSL certificate and upload the certificate using AWS Identity and Access Management (IAM). For instructions on creating and uploading the SSL certificate, see SSL Certificate for Elastic Load Balancing.

    Step through the following instructions to continue uploading your SSL certificate.

    1. Enter the name of the certificate to upload.

    2. Copy and paste the contents of the private key file (PEM-encoded) in the Private Key box.

      Note

      The private key cannot be retrieved after you are finished uploading it.

    3. Copy and paste the contents of the public key certificate file (PEM-encoded) in the Public Key Certificate box.

    4. You can skip this step if you are using a self-signed certificate and it's not important that browsers implicitly accept the certificate.

      If you are not using self-signed certificate, copy and paste the contents of the public key certificate chain file (PEM-encoded) in the Certificate Chain box.

      Note

      The certificate chain must be ordered such that the root certificate is the last certificate in the chain. If you use a certificate chain in a different order, you will receive an error.

      Update SSL Certificate

  9. Click Save.

Using the Query API

To update an SSL certificate for an HTTPS load balancer

  1. If you have an SSL certificate and have uploaded it using the AWS Identity and Access Management (IAM), use the IAM action GetServerCertificate to get the ARN of the certificate, and then go to step 3.

  2. If you have an SSL certificate and want to upload it, step through the instructions described in Upload the Signed Certificate.

    Make a note of the ARN of the certificate.

  3. Call SetLoadBalancerListenerSSLCertificate to replace the expired certificate with the new one.

    • LoadBalancerName = test-lb

    • LoadBalancerPort = 443

    • SSLCertificateId = arn:aws:iam::322191361670:server-certificate/newCert

Using the Command Line Interface

To update an SSL certificate for an HTTPS load balancer

  1. If you have an SSL certificate and have uploaded it using the AWS Identity and Access Management (IAM), use the AWS CLI command get-server-certificate to get the ARN of the certificate, and then go to step 3.

  2. If you have an SSL certificate and want to upload it, step through the instructions described in Upload the Signed Certificate.

    Make a note of the ARN of the certificate.

  3. Enter the command elb-set-lb-listener-ssl-cert with an HTTPS listener, as in the following example.

    PROMPT> elb-set-lb-listener-ssl-cert  test-lb --lb-port 443 --cert-id arn:aws:iam::322191361670:server-certificate/newCert