AWS Documentation » Elastic Load Balancing Documentation » Developer Guide » Using Elastic Load Balancing » Update an SSL Certificate for a Load Balancer	« Previous Next »
	Did this page help you? Yes \| No \| Tell us about it...

Update an SSL Certificate for a Load Balancer

If you are using HTTPS/SSL protocol for your listeners, you might have an SSL server certificate installed on your load balancer. The SSL certificate has to be updated periodically. This section describes how to update an SSL certificate for your HTTPS/SSL load balancer. Before you get started, be sure you've done the following:

Created a HTTPS/SSL load balancer with Elastic Load Balancing. For information on how to set up an HTTPS/SSL load balancer with the AWS Management Console, the command line interfaces (CLI), or the Query API, see Create a Load Balancer with SSL Cipher Settings and Back-End Server Authentication.
Created a new SSL server certificate to replace the expired server certificate and have uploaded it using the AWS Identity and Access Management (IAM). For information on how to create and upload a SSL certificate, go to Creating and Uploading Server Certificates in Using AWS Identity and Access Management.
All your SSL server certificates are managed by AWS Identity and Access management (IAM). By default, IAM allows 10 server certificates per AWS account. If you try to upload a new server certificate after reaching this limit, you'll get an error. You can request for more certificates using this form - IAM Limit Increase Contact Us Form.
Installed the Elastic Load Balancing tools that you plan to use to perform load balancing tasks. You can update your SSL certificate installed on your HTTPS/SSL load balancer using the AWS Management Console, command line interface (CLI), or the Query API. For information on installing the CLI, or the Query API, see Get Set Up with Elastic Load Balancing Interfaces.
If you plan to use the command line interface (CLI), you'll also have to install the AWS Identity and Access Management command line tools. For more information, go to Get the Tools in the AWS Identity and Access Management Getting Started Guide.
- For detailed descriptions of the Elastic Load Balancing Query API actions, see Elastic Load Balancing API Reference.
- For detailed descriptions of the Elastic Load Balancing commands, see the Elastic Load Balancing Quick Reference Card.
- For information on using AWS Identity and Access Management APIs and command line interfaces, go to Using AWS Identity and Access Management.

The following sections include instructions for updating an SSL certificate using the AWS Management Console, the command line interface (CLI), or the Query API.

Using the AWS Management Console

To update an SSL certificate for an HTTPS load balancer

Sign in to the AWS Management Console and open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
On the Amazon EC2 Getting Started page, in the EC2 Dashboard pane, under NETWORK & SECURITY, click Load Balancers.
On the Load Balancers page, select your load balancer.
The bottom pane displays the details of your load balancer.
Click the Listeners tab.
Click Change in the SSL Certificate column of the certificate you want to update.
On the Configure SSL Certificate page, select Choose from your existing SSL Certificates to use previously uploaded SSL certificate and select the certificate from the drop-down box.
Or, select Upload a new SSL Certificate if you have a SSL certificate and want to uploaded it.
Before you upload, ensure that your certificate meets the following citeria:
- Certificates must follow the X.509 PEM format.
- The current date must be between the certificate’s start and end date.
- Public and private certificate files must contain only a single certificate.
- The private key must match the public key that is in the digital server certificate.
- The private key must be an RSA private key in PEM format, where the PEM header is BEGIN RSA PRIVATE KEY and the footer is END RSA PRIVATE KEY.
- The private key cannot be encrypted with a password.
- A certificate chain starts with the immediate signing certificate and is then followed by any intermediaries in order. Intermediaries that are not involved in the trust path must not be included. The trusted root certificate can be optionally included as the last certificate.
If your certificate does not meet the criteria listed in this step, you might get an error when you upload it. Create a new SSL certificate and upload the certificate using AWS Identity and Access Management (IAM). For instructions on creating and uploading the SSL certificate, go to Creating and Uploading Server Certificates in Using AWS Identity and Access Management.
Step through the following instructions to continue uploading your SSL certificate.
1. Enter the name of the certificate to upload.
2. Copy and paste the contents of the private key file (PEM-encoded) in the Private Key box.
3. Copy and paste the contents of the public key certificate file (PEM-encoded) in the Public Key Certificate box.
4. [Optional] Copy and paste the contents of the public key certificate chain file (PEM-encoded) in the Certificate Chain box.
  Note
  The certificate chain must be ordered such that the root certificate is the last certificate in the chain. If you use a certificate chain in a different order, you will receive an error.
Click Save.

Using the Query API

To update an SSL certificate for an HTTPS load balancer

If you have a SSL certificate and have uploaded it using the AWS Identity and Access Management (IAM), get the Amazon Resource Name (ARN) of your certificate and go to step 3.
If you have a SSL certificate and want to upload it, step through the following instructions:
1. Check if your certificate meets the following criteria:
  - Certificates must follow the X.509 PEM format.
  - The current date must be between the certificate’s start and end date.
  - Public and private certificate files must contain only a single certificate.
  - The private key must match the public key that is in the digital server certificate.
  - The private key must be an RSA private key in PEM format, where the PEM header is BEGIN RSA PRIVATE KEY and the footer is END RSA PRIVATE KEY.
  - The private key cannot be encrypted with a password.
  - A certificate chain starts with the immediate signing certificate and is then followed by any intermediaries in order. Intermediaries that are not involved in the trust path must not be included. The trusted root certificate can be optionally included as the last certificate.
  If your certificate does not meet the criteria, you might get an error when you upload it. Create a new SSL certificate and upload the certificate using AWS Identity and Access Management (IAM). For instructions on creating and uploading the SSL certificate, go to Creating and Uploading Server Certificates in the Using AWS Identity and Access Management.
  If your certificate meets the criteria, step through the following instructions to continue uploading your SSL certificate.
2. Call the AWS Identity and Access Management UploadServerCertificate API with the following parameters:
  - ServerCertificateName = newCert
    Important
    You cannot use the name of the expired certificate. You must use a new name for the ServerCertificateName parameter.
  - CertificateBody = <encoded certificate body>
  - PrivateKey = <encoded private key>
  - CertificateChain = <concatenation of the encoded public key certificates>
    Note
    CertificateChain is optional. If you are using CertificateChain, then you must order the certificates such that the root certificate is the last certificate in the chain. If you use a certificate chain in a different order, you will receive an error.
  - Path = /
    Note
    Path is optional. If it is not included, the path defaults to /. For more information about paths, go to Identifiers for IAM Entities in Using AWS Identity and Access Management.
  The response includes an Amazon Resource Name (ARN) for your new certificate. Use this new ARN for the SSLCertificateId parameter in the next step.
Call SetLoadBalancerListenerSSLCertificate to replace the expired certificate with the new one.
- LoadBalancerName = test-lb
- LoadBalancerPort = 443
- SSLCertificateId = arn:aws:iam::322191361670:server-certificate/newCert

Using the Command Line Interface

To update an SSL certificate for an HTTPS load balancer

If you have a SSL certificate and have uploaded it using the AWS Identity and Access Management (IAM), get the Amazon Resource Name (ARN) of your certificate and go to step 3.
If you have a SSL certificate and want to upload it using AWS Identity and Access management (IAM), step through the following instructions:
1. Check if your certificate meets the following criteria:
  - Certificates must follow the X.509 PEM format.
  - The current date must be between the certificate’s start and end date.
  - Public and private certificate files must contain only a single certificate.
  - The private key must match the public key that is in the digital server certificate.
  - The private key must be an RSA private key in PEM format, where the PEM header is BEGIN RSA PRIVATE KEY and the footer is END RSA PRIVATE KEY.
  - The private key cannot be encrypted with a password.
  - A certificate chain starts with the immediate signing certificate and is then followed by any intermediaries in order. Intermediaries that are not involved in the trust path must not be included. The trusted root certificate can be optionally included as the last certificate.
  If your certificate does not meet the criteria, you might get an error when you upload it. Create a new SSL certificate and upload the certificate using AWS Identity and Access Management (IAM). For instructions on creating and uploading the SSL certificate, go to Creating and Uploading Server Certificates in Using AWS Identity and Access Management.
  If your certificate meets the criteria, step through the following instructions to continue uploading your SSL certificate.
2. Enter the IAM command iam-servercertupload in verbose mode to upload your certificate to the AWS IAM service.
  Important
  You cannot use the name of the expired certificate. You must use a new name for the certificate.
```
PROMPT> iam-servercertupload -b /tmp/newCert.pem -k /tmp/test-pri-key.pem -s newCert [-c <concatenation of the encoded public key certificates>] -v
```
  Note
  -c is optional. If you are using -c, then you must order the certificates such that the root certificate is the last certificate in the chain. If you use a certificate chain in a different order, you will receive an error.
  The response includes the server certificate Amazon Resource Name (ARN) and GUID.
```
arn:aws:iam::322191361670:server-certificate/testCertASCACexampleKEZUQ4K	
```
3. Copy the ARN for the next step.

Enter the command elb-set-lb-listener-ssl-cert with an HTTPS listener, as in the following example.

PROMPT> elb-set-lb-listener-ssl-cert  test-lb --lb-port 443 --cert-id arn:aws:iam::322191361670:server-certificate/newCert

Document Conventions	« Previous Next »
Terms of Use	Did this page help you? Yes \| No \| Tell us about it...