Elastic Load Balancing
Developer Guide (API Version 2012-06-01)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

Update an SSL Certificate for a Load Balancer

If you are using HTTPS/SSL protocol for your listeners, you might have an SSL server certificate installed on your load balancer. Your SSL certificate comes with a validity period. You must replace the certificate before its validity period ends. To replace the certificate you must first create a new certificate by following the same steps you used when you created your certificate for the first time. For information on creating a new SSL certificate, see SSL Certificate for Elastic Load Balancing.

All your SSL certificates are managed by AWS Identity and Management (IAM) service. By default, IAM allows 10 server certificates per AWS account. If you try to upload a new server certificate after reaching this limit, you'll get an error. You can request for more certificates using this form - IAM Limit Increase Contact Us Form.

Before you install your SSL certificate on your load balancer, you must first upload your certificate to IAM. You can use the Elastic Load Balancing wizard from the Amazon EC2 console, the upload-server-certificate IAM command, or the UploadServerCertificate IAM action to upload your SSL certificate.

The following sections include instructions for updating an SSL certificate using the AWS Management Console, the AWS command line interface (AWS CLI), or the Query API.

Using the AWS Management Console

To update an SSL certificate for an HTTPS load balancer

  1. Sign in to the AWS Management Console and open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. On the Amazon EC2 console Resources page, in the EC2 Dashboard pane, under NETWORK & SECURITY, click Load Balancers.

  3. On the Load Balancers page, select your load balancer.

  4. The bottom pane displays the details of your load balancer.

  5. Click the Listeners tab.

  6. In the Listeners pane, click Change in the SSL Certificate column of the certificate you want to update.

  7. On the Select Certificate page, select Choose from an existing SSL Certificates if you have already uploaded your SSL certificate using IAM. Click the Certificate Name: dialog box and select your certificate. Click Save.

  8. Or, select Upload a new SSL Certificate if you have an SSL certificate and want to upload it.

    Before you upload, ensure that your certificate meets the criteria described in Upload the Signed Certificate

    If your certificate does not meet the criteria listed in this step, you might get an error when you upload it. Create a new SSL certificate and upload the certificate using AWS Identity and Access Management (IAM). For instructions on creating and uploading the SSL certificate, see SSL Certificate for Elastic Load Balancing.

    Step through the following instructions to continue uploading your SSL certificate.

    1. Enter the name of the certificate to upload.

    2. Copy and paste the contents of the private key file (PEM-encoded) in the Private Key box.

      Note

      The private key cannot be retrieved after you are finished uploading it.

    3. Copy and paste the contents of the public key certificate file (PEM-encoded) in the Public Key Certificate box.

    4. You can skip this step if you are using a self-signed certificate and it's not important that browsers implicitly accept the certificate.

      If you are not using self-signed certificate, copy and paste the contents of the public key certificate chain file (PEM-encoded) in the Certificate Chain box.

      Note

      The certificate chain must be ordered such that the root certificate is the last certificate in the chain. If you use a certificate chain in a different order, you will receive an error.

      Update SSL Certificate

  9. Click Save.

Using the AWS Command Line Interface

Before you get started, make sure that you have installed the AWS CLI tools. For information on installing the CLI see Use the AWS Command Line Interface.

To update an SSL certificate for an HTTPS load balancer

  1. If you have an SSL certificate and have uploaded it using the AWS Identity and Access Management (IAM), use the AWS CLI command get-server-certificate to get the ARN of the certificate, and then go to step 3.

  2. If you have an SSL certificate and want to upload it, step through the instructions described in Upload the Signed Certificate.

    Make a note of the ARN of the certificate.

  3. Enter the set-load-balancer-listener-ssl-certificate command and specify the load balancer port of an HTTPS listener, as in the following example.

    aws elb set-load-balancer-listener-ssl-certificate --load-balancer-name my-test-loadbalancer --load-balancer-port 443 --ssl-certificate-id arn:aws:iam::012345678901:server-certificate/production/newCert 

Using the Query API

To update an SSL certificate for an HTTPS load balancer

  1. If you have an SSL certificate and have uploaded it using the AWS Identity and Access Management (IAM), use the IAM action GetServerCertificate to get the ARN of the certificate, and then go to step 3.

  2. If you have an SSL certificate and want to upload it, step through the instructions described in Upload the Signed Certificate.

    Make a note of the ARN of the certificate.

  3. Call the SetLoadBalancerListenerSSLCertificate action to replace the expired certificate with the new one using the following parameters:

    • LoadBalancerName = my-test-loadbalancer

    • LoadBalancerPort = 443

    • SSLCertificateId = arn:aws:iam::012345678901:server-certificate/production/newCert