Menu
Elastic Load Balancing
Developer Guide

Replace the SSL Certificate for Your Load Balancer

If you have an HTTPS listener, you deployed an SSL server certificate on your load balancer when you created the listener. Each certificate comes with a validity period. You must ensure that you renew or replace the certificate before its validity period ends.

Certificates provided by AWS Certificate Manager and deployed on your load balancer can be renewed automatically. ACM attempts to renew certificates before they expire. For more information, see Managed Renewal in the AWS Certificate Manager User Guide.

To replace a certificate, you must first create a new certificate by following the same steps you used when you created the current certificate. For more information about creating an SSL certificate and uploading it, see SSL Certificates for Elastic Load Balancing. Then, you can replace the certificate as described in the next sections. Note that replacing a certificate does not affect requests that were received by a load balancer node and are pending routing to a healthy instance, but the new certificate will be used with subsequent requests that are received.

Prerequisites

Verify that your certificate meets the prerequisites.

Replace the SSL Certificate Using the Console

You can replace the certificate deployed on your load balancer with a certificate provided by ACM or a certificate uploaded to IAM.

To replace the SSL certificate for an HTTPS load balancer

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, under LOAD BALANCING, click Load Balancers.

  3. Select your load balancer.

  4. In the Listeners tab, click Change in the SSL Certificate column for the certificate.

  5. In the Select Certificate dialog box, do one of the following:

    • If you have a certificate from AWS Certificate Manager, select Choose an existing certificate from AWS Certificate Manager (ACM), select the certificate from ACM Certificate, and then click Save.

      Note

      This option is available only in regions that support AWS Certificate Manager.

    • If you have already uploaded a certificate using IAM, select Choose an existing certificate from AWS Identity and Access Management (IAM), select the certificate from Certificate Name, and then click Save.

    • If you have an SSL certificate to upload, select Upload a new SSL Certificate to AWS Identity and Access Management (IAM). Enter a name for the certificate, copy the required information to the form, and then click Save. Note that the certificate chain is not required if the certificate is a self-signed certificate.

Replace the SSL Certificate Using the AWS CLI

You can replace the certificate deployed on your load balancer with a certificate provided by ACM or a certificate uploaded to IAM.

To replace an SSL certificate with a certificate provided by ACM

  1. Use the following request-certificate command to request a new certificate:

    aws acm request-certificate --domain-name www.example.com
  2. Use the following set-load-balancer-listener-ssl-certificate command to set the certificate:

    aws elb set-load-balancer-listener-ssl-certificate --load-balancer-name my-load-balancer --load-balancer-port 443 --ssl-certificate-id arn:aws:acm:region:123456789012:certificate/12345678-1234-1234-1234-123456789012

To replace an SSL certificate with a certificate uploaded to IAM

  1. If you have an SSL certificate but have not uploaded it, complete the instructions described in Upload the Certificate.

  2. Use the following get-server-certificate command to get the ARN of the certificate:

    aws iam get-server-certificate --server-certificate-name my-new-certificate
  3. Use the following set-load-balancer-listener-ssl-certificate command to set the certificate:

    aws elb set-load-balancer-listener-ssl-certificate --load-balancer-name my-load-balancer --load-balancer-port 443 --ssl-certificate-id arn:aws:iam::123456789012:server-certificate/my-new-certificate